Configuring Self-Signed Certificates for the Jamf SCCM Plug-in 3.40 or Later

This article explains how to create and configure self-signed certificates for the Jamf SCCM plug-in 3.40 or later.

Before installing the Jamf SCCM Proxy plug-in 3.40 or later, you must configure an ISV proxy certificate. The following table shows the servers on which the ISV proxy certificate must exist:

CertificateJamf SCCM Proxy Service SCCM Server
ISV Proxy Certificate ✔ (Requires private key)
Note:

This article contains only one method of configuring a self-signed certificate. If you use a different method, be aware that there are specific attributes a certificate signing request (CSR) must have.

Configuring a self-signed certificate involves the following steps:

  1. Downloading and modifying the .inf file for creating the CSR

  2. Creating the CSR and self-signed certificate

  3. Creating an ISV proxy certificate from the installed certificate

  4. Copying the ISV proxy certificate to the SCCM server

  5. Registering the ISV proxy certificate with SCCM

General Requirements

Configuring a self-signed certificate for the Jamf SCCM plug-in involves creating an ISV proxy certificate.

To do this, you need:

  • A PKI certificate with a SHA-2 signature algorithm

  • A Windows computer with the Certification Authority snap-in

  • Console access to the SCCM server

  • Administrative rights to the SCCM Console

Step 1: Downloading and Modifying the .inf File For Creating the CSR

  1. Download the .inf file.
  2. In the .inf file, modify the following variables to include the settings you want to use.
    Note:

    The variables are indicated by double square brackets ([[ ]]).

    • SubjectModify this variable to include the fully qualified domain name (FQDN) of the Jamf SCCM Proxy Service host computer.
    • Friendly NameModify this variable as follows:
      • For 3.51 or earlier"JSS SCCM Proxy Certificate"
      • For 3.60.0 or later"Jamf SCCM Proxy Certificate"
    • Provider NameThis variable is preset, but you may need to modify it for your environment if you use a different Cryptographic Service Provider (CSP). For a list of all CSPs, execute the following command:
      certutil -csplist

Step 2: Creating the CSR and the Self-Signed Certificate

  1. Copy the .inf file to the Jamf SCCM Proxy Service host computer.
  2. Create the CSR and a self-signed certificate that will be automatically imported to your personal certificate store by executing the following command:
    certreq -new Self-Signed-ISV-Request.inf Self-Signed-ISV-Request.req
    The certificate is automatically installed.
    Note:

    Because this is a self-signed certificate, the issuing authority is not trusted and a red X appears on the certificate. The certificate does not need to be trusted for it to work with SCCM 2012 as a proxy certificate.

Step 3: Creating an ISV Proxy Certificate from the Installed Certificate

  1. On the Jamf SCCM Proxy Service host computer, open Microsoft Management Console (MMC).
  2. From the menu bar, choose File > Add/Remove Snap-in.
  3. Select Certificates in the list of snap-ins and click the Add button.

  4. Select the Computer account option and click Next.
  5. Select the Local computer (the computer this console is running on) option.
  6. Click Finish and click OK. The certificate is displayed below the Console Root folder in the sidebar.
  7. Expand the Certificates (Local Computer) heading.
  8. Select the personal certificates store.
  9. Right-click the newly created certificate (identified by the friendly name) and select All Tasks > Export.

  10. Follow the onscreen instructions to export the certificate as a DER-encoded .cer file.

Step 4: Copying the ISV Proxy Certificate to the SCCM Server

If you created the ISV proxy certificate on a server other than the SCCM server, copy the ISV proxy certificate (.cer) to the SCCM server. You can skip this step if you created the ISV proxy certificate on the SCCM server.

Step 5: Registering the ISV Proxy Certificate with SCCM

  1. On the SCCM server, open SCCM and click the Administration category in the sidebar.
  2. Expand the Security folder.
  3. Right-click the Certificates heading and select Register or Renew ISV Proxy.

  4. In the Register or Renew ISV Proxy dialog, select the Register certificate for a new ISV proxy option and browse for the ISV proxy certificate (.cer).

  5. Click OK to close the Register or Renew ISV Proxy dialog.
  6. Take note of the certificate GUID for the ISV proxy certificate. You will need to enter this when you install the Jamf SCCM Proxy Service.
    Note:

    If the Certificate GUID column is not displayed, right-click the column header and select Certificate GUID.