Creating a Signing Certificate Using Jamf Pro's Built-in CA to Use for Signing Configuration Profiles and Packages

Updated: 27 May 2022
Product: Jamf Pro

This article explains how to create a signing certificate using Jamf Pro's built-in certificate authority (CA), which you can then use to sign custom configuration profiles and packages that are automatically trusted when installed on managed devices. Trust is automatically established as the root CA certificate is included within the Jamf Pro MDM profile.

Creating a signing certificate generated by the Jamf Pro built-in CA provides the following benefits:

  • Marks custom configuration profiles as trusted and "Verified" when end users view the profile

  • Allows uploading custom configuration profiles as read-only within Jamf Pro if needed

  • Allows custom packages to be signed with a certificate that is trusted by managed computers. This allows packages to meet trust requirements when installed by an MDM command, such as a PreStage enrollment package. For more information, see Computer PreStage Enrollments in the Jamf Pro Documentation.

Note:

Packages deployed via a Jamf Pro policy do not need to be signed.

Creating a Signing Certificate Using the Jamf Pro Built-in CA

  1. Create a certificate signing request (CSR) on your computer:
    1. Open Keychain Access.
    2. In the menu bar, navigate to Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority.
      Certificate Information window in Certificate Assistant
    3. In the Certificate Assistant window, enter your email address in the User Email Address field.
    4. Enter a certificate common name in the Common Name field.
      Note:

      The common name is used to identify the certificate when selecting it for signing purposes.

    5. Ensure the CA Email Address field is blank.
    6. Select Saved to Disc from the Request is setting.
    7. Click Continue.
    8. Specify a file name and location, and then click Save.
  2. Open the CSR file in a text editor.
  3. Copy the file text to the Clipboard.
  4. In Jamf Pro, navigate to Settings > Global Management > PKI Certificates.
  5. Use the Management Certificate Template pane to click Create Certificate from CSR.
  6. Paste the CSR text into the CSR field, and then select Web Server Certificate from the Certificate Type pop-up menu.
    CSR field in Create Certificate from CSR
  7. Click Create, and then specify a location to save the certificate.

Installing the Certificate to Use for Signing Purposes

  1. Double-click the downloaded certificate to install it in your login keychain.
  2. In Keychain Access, double-click the certificate and inspect its trust settings:
    • If the certificate displays the message "This certificate is valid", it is successfully installed and is ready to be used for signing.
      Message for trusted certificate
      Note:

      If the computer the certificate is installed on is managed by the same Jamf Pro instance that created the certificate, trust should automatically be established.

    • If the certificate displays the message "[Certificate Name] certificate is not trusted", it is successfully installed but not trusted.
      Message for not trusted certificate
  3. Do the following to establish trust so the certificate can be used for signing:
    1. In Jamf Pro, navigate to Settings > PKI Certificates.
    2. In the Management Certificate Template pane, click Download CA Certificate.
    3. Double-click the certificate to install it to your System keychain.
    4. In Keychain Access, select and double-click the certificate to view its trust settings.
    5. Expand the Trust disclosure triangle if needed.
    6. Choose Always Trust from the When using this certificate pop-up menu:
      Certificate trust settings
    7. When prompted, enter your administrator credentials to modify the trust settings.
    8. Repeat step 2 to verify the certificate that you created is valid.

Signing a Custom Configuration Profile with the Installed Certificate

There are several ways to sign a configuration profile with a certificate. Two common methods are to either use Apple Configurator 2 or the command line:
Method 1—Use Apple Configurator 2

  1. Open the configuration profile in Apple Configurator 2. You can download Apple Configurator 2 from the Mac App Store.

  2. Navigate to File > Sign.

  3. Select the Jamf Pro signing certificate created previously.

  4. Save the configuration profile.

Method 2—Use the Command Line

Open Terminal and enter a command similar to the following:

/usr/bin/security cms -S -N "<common name of certificate>" -i <input path to unsigned profile> -o <output path for signed profile>

For example, if the certificate common name was "JamfSign", the command would be the following:

/usr/bin/security cms -S -N "JamfSign" -i ~/Desktop/Custom.mobileconfig -o ~/Desktop/Custom-signed.mobileconfig

Signing a Custom Package File with the Installed Certificate

There are several ways to sign a custom package file with the installed certificate. Two common methods are to either use Jamf Composer or the command line:
Method 1—Use Composer

  1. Open Composer Preferences.

  2. Ensure the Build flat PKGs checkbox is selected.

  3. Select the Sign with: checkbox and choose your certificate from the pop-up menu.
  4. Click Save.

When a new package is created with these settings, it will be signed by the certificate.

Method 2—Use the Command Line

Open Terminal and enter a command similar to the following:

/usr/bin/productsign --sign "<common name of certificate>" <input path to unsigned package> <output path to signed package>

For example, if the certificate common name was "JamfSign", the command would be the following:

/usr/bin/productsign --sign "JamfSign" ~/Desktop/CustomPackage.pkg ~/Desktop/CustomPackage-signed.pkg