Configuring Certificates for the Jamf SCCM Plug-in 3.40 or Later Using a Standalone Certificate Authority

This article explains how to create and configure certificates using a standalone certificate authority (CA) for the Jamf SCCM plug-in 3.40 or later.

There are one or more certificates that must be configured before you install the Jamf SCCM Proxy plug-in 3.40 or later. The following table shows the required certificates and the servers on which they must exist:

Certificate Jamf SCCM Proxy Service Server SCCM Server
ISV Proxy Certificate✔ (Requires private key)
CA Certificate Chain

Creating an ISV proxy certificate using a standalone CA involves the following steps:

  1. Downloading and modifying the .inf file for creating the certificate signing request (CSR)

  2. Creating the CSR

  3. Submitting the CSR to the CA to create a certificate

  4. Exporting the CA certificate chain

  5. Importing the CA certificate chain and the ISV certificate

  6. Creating an ISV proxy certificate from the installed certificate

  7. Copying the ISV proxy certificate to the SCCM server

  8. Registering the ISV proxy certificate with SCCM

General Requirements

Configuring certificates using a standalone CA for the Jamf SCCM plug-in involves creating an ISV proxy certificate.

To do this, you need:

  • A standalone CA that is not integrated with your SCCM environment

  • A PKI certificate with a SHA-2 signature algorithm

  • A Windows computer with the Certification Authority snap-in

  • Console access to the SCCM server

  • Administrative rights to the SCCM Console

Step 1: Downloading and Modifying the .inf File for Creating the CSR

  1. Download the .inf file.
  2. In the .inf file, modify the following variables to include the settings you want to use.
    Note:

    The variables are indicated by double square brackets ([[ ]]).

    • SubjectModify this variable to include the fully qualified domain name (FQDN) of the Jamf SCCM Proxy Service host computer.
    • Friendly NameModify this variable as follows:
      • For 3.51 or earlier"JSS SCCM Proxy Certificate"
      • For 3.60.0 or later"Jamf SCCM Proxy Certificate"
    • Provider NameModify this variable to include the name of the Cryptographic Service Provider (CSP) that you want to use. For a list of all CSPs, execute the following command:
      certutil -csplist
    • Provider TypeModify this variable to include the CSP type you want to use. For a list of all CSPs with supported hash algorithms, execute the following command:
      certutil -csplist -v | more

Step 2: Creating the CSR

  1. Copy the .inf file to the computer on which you plan to install the Jamf SCCM Proxy Service.
  2. Create the CSR by executing the following command:
    certreq -new Standalone-CA-ISV-Request.inf Standalone-CA-ISV-Request.req

Step 3: Submitting the CSR to the CA to Create a Certificate

Follow the steps needed to create a certificate.
Note:

The steps needed to create a certificate vary depending on your environment.

For example, if you are using a standalone Microsoft CA, use steps similar to the following:

  1. Copy the Self-Signed-ISV-Request.req file to the CA server.
  2. Execute the following command to create the ISV certificate, selecting the CA to sign it if prompted:
    certreq -submit Standalone-CA-ISV-Request.req isv.cer
  3. Copy the isv.cer file to the computer you used to create the CSR and on which you plan to install the Jamf SCCM Proxy Service.

Step 4: Exporting the CA Certificate Chain

  1. Export the CA certificate used to sign the isv.cer by executing the following command:
    certutil -ca.chain ca.cer
  2. Copy the ca.cer file to the computer on which you plan to install the Jamf SCCM Proxy Service.

Step 5: Importing the CA Certificate Chain and the ISV Certificate

  1. On the computer on which you plan to install the Jamf SCCM Proxy Service, open Microsoft Management Console (MMC).
  2. From the menu bar, choose File > Add/Remove Snap-in.
  3. Select Certificates in the list of snap-ins and click the Add button.

  4. Select the Computer account option and click Next.
  5. Select the Local computer (the computer this console is running on) option.
  6. Click Finish and click OK. The certificate is displayed below the Console Root folder in the sidebar.
  7. Expand the Certificates (Local Computer) heading.
  8. Expand the Trusted Root Certification Authorities heading.
  9. Right-click the Certificates folder, select All Tasks > Import, and then select the ca.cer file.

  10. Expand the Personal heading.
  11. Right-click the Certificates folder, select All Tasks > Import, and then select the isv.cer file.

Step 6: Creating an ISV Proxy Certificate from the Installed Certificate

  1. Right-click the newly imported certificate (identified by the friendly name) and select All Tasks > Export.
  2. Follow the onscreen instructions to export the certificate as a DER-encoded .cer file.

Step 7: Copying the ISV Proxy Certificate to the SCCM Server

If you created the ISV proxy certificate on a server other than the SCCM server, copy the ISV proxy certificate (.cer) to the SCCM server. You can skip this step if you created the ISV proxy certificate on the SCCM server.

Step 8: Registering the ISV Proxy Certificate with SCCM

  1. On the SCCM server, open SCCM and click the Administration category in the sidebar.
  2. Expand the Security folder.
  3. Click the Certificates heading and then click the Register or Renew ISV Proxy button.

  4. In the Register or Renew ISV Proxy dialog, select the Register certificate for a new ISV proxy option and browse for the ISV proxy certificate (.cer).

  5. Click OK to close the Register or Renew ISV Proxy dialog.
  6. Take note of the certificate GUID for the ISV proxy certificate. You will need to enter this when you install the Jamf SCCM Proxy Service.
    Note:

    If the Certificate GUID column is not displayed, right-click the column header and select Certificate GUID.