Configuring the Jamf PKI Proxy and Venafi TPP Connection

After installing the Jamf PKI Proxy, you must configure settings in Jamf Pro to enable communication between Jamf Pro and Venafi TPP.
If you are using Docker, the process for configuring the Jamf PKI Proxy varies between Linux and Windows:
  • Docker for LinuxIf you are using Docker for Linux, replace every instance of jamf-pki-proxy in the commands below with the following:
    docker run -v ~/.jamf/:/.jamf -v /etc/ssl:/etc/ssl:ro -p 443:443 jamfllc /jamf-pki-proxy:latest
  • Docker Desktop for Windows Using PowerShellIf you are using Docker Desktop for Windows, replace every instance of jamf-pki-proxy in the commands below with the following:
    docker run -v $env:LOCALAPPDATA\Jamf\:/.jamf -p 9443:9443 jamfllc/jamf-pki-proxy:latest

  1. The Jamf PKI Proxy will need to be configured on the server where it was installed. View available configurations by running the following command:
    jamf-pki-proxy config list
    Additional configuration options are available. To learn more, execute help commands similar to the following:
    jamf-pki-proxy --help
    jamf-pki-proxy config --help
    jamf-pki-proxy config set --help
  2. Execute a command similar to the following to set the host of the Venafi TPP server:
    jamf-pki-proxy config set --venafi-host

    The host for the Venafi TPP server should be a fully qualified domain name. Using an IP address is not recommended.

  3. Log in to Jamf Pro.
  4. In Jamf Pro, click Settings in the top-right corner of the page.
  5. In the Global Management section, click PKI Certificates .
  6. On the Certificate Authorities tab, click Configure New Certificate Authority.
  7. Select Venafi, and click Next.
  8. Enter a name for the Venafi CA configuration, and click Save and Continue.
  9. On the Set Up PKI ProxyJamf pane in Jamf Pro, download the .pem certificate file.

    The .pem file contains a public key that is used for mutual authentication between the Jamf PKI Proxy and Jamf Pro.


    If you exit the assistant, your progress will be saved. You can navigate back to this newly created CA later if needed and make any modifications necessary.

  10. Rename the .pem file as authorized.pem and place it in the following directory on the Jamf PKI Proxy host:
    • Linux: ~/.jamf

    • Windows: C:\Users\<user>\AppData\Local\Jamf

  11. Configure the certificate for the Jamf PKI Proxy.

    To establish mTLS communication with Jamf Pro, the Jamf PKI Proxy requires a public and private key, which must must be named pub.pem and key.pem, respectively. It is recommended that a certificate issued from a trusted external CA is used.

    If you are obtaining certificates from an external CA, the certificates must be in PKCS8 format. You must provide a decrypted version of the private key for key.pem. The command to decrypt the private key:

    openssl rsa -in /path/to/encrypted-private-key.pem -out /path/to/key.pem

    If you cannot obtain a certificate issued from a trusted external CA, an alternative option is to generate a self-signed certificate. To generate a self-signed certificate, execute the following command on Linux or Windows:

    ./jamf-pki-proxy certificate generate --hostname host
    • The <host> should be a fully qualified domain name. Using an IP address is not recommended.

    • The certificate can be an externally issued certificate or a self-signed certificate. All .pem files in the following directories must have file permissions set to 600:

      • Linux: ~/.jamf

      • Windows: C:\Users\user\AppData\Local\Jamf

  12. After installing and configuring the Jamf PKI Proxy, return to the Set Up Jamf PKI Proxy pane in Jamf Pro, and click Next.
  13. In the Venafi CA settings, click Edit.
  14. In the Jamf PKI Proxy Address field, enter the host address.
  15. Deselect the Enable checkbox for Automatic Certificate Revocation if you do not want to revoke certificates automatically.

    For more information, see "Revoking Venafi Certificates" in the Integrating with Venafi Using Jamf Pro technical paper.

  16. Leave the Jamf Pro Public Key field as is.

    The Jamf Pro Public Key is the .pem file you downloaded earlier. The Download and Reissue buttons should not be needed for initial setup.

  17. In the Jamf PKI Proxy Public Key field, upload the public key pub.pem file into Jamf Pro.

    The pub.pem is located on the Jamf PKI Proxy host server at the following locations:

    • Linux: ~/.jamf

    • Windows: C:\Users\user\AppData\Local\Jamf

  18. In the Venafi Trust Protection Platform Credentials area, select one of the following authentication methods depending on the version of Venafi TPP you are using:
    • Token AuthenticationCoordinate with your Venafi TPP administrator to create the API integration and obtain the appropriate data for the integration. The scope of the API integration must be certificate:manage,revoke. After you have the required values, enter them in Jamf Pro as follows:
      • Client IDDepending on your configuration, enter either the Application ID of the API integration, or the access_token value.
      • Venafi Refresh TokenEnter the refresh_token value.
    • Username & Password AuthenticationEnter the appropriate Username and Password for Venafi TPP.
  19. Click Save.
  20. Go to the host of the Jamf PKI Proxy and execute the following command to start the service:
    jamf-pki-proxy start
    You can also start the Jamf PKI Proxy and listen on a port other than the one configured by executing the following command:
    jamf-pki-proxy start --proxy-listener :443
  21. In Jamf Pro, refresh the Venafi settings page to test the connection.
A banner with the connection test result will be displayed at the top of the page.

The connection is automatically tested when you do any of the following:

  • Navigate to the page from a different page.

  • Leave editing the page by clicking Save or Cancel.

  • Refresh the read-only page.

Information banners will display the current connection status at the top of the page.