Obtaining a SCEP Proxy Signing Certificate from a Microsoft CA Using Command Prompt and Uploading the Certificate to Jamf Pro

This article explains how to obtain a signing certificate from a Microsoft certificate authority (CA) using Command Prompt and upload the certificate to Jamf Pro. When a computer or mobile device that needs a certificate checks in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate. You can enable Jamf Pro to proxy this communication between a SCEP server and the devices in your environment to ensure devices do not need to access the SCEP server. When Jamf Pro is enabled as a SCEP Proxy, Jamf Pro communicates directly with the SCEP server to obtain certificates and install them on computers and mobile devices.

The procedure involves the following steps:

  1. Generating a Certificate Signing Request
  2. Downloading the Certificate from the Microsoft CA Server
  3. Uploading the Certificate to Jamf Pro

General Requirements

  • Jamf Pro 10.0.0 or later
  • Java Development Kit (JDK) with the keytool utility

    If you do not have keytool, OpenSSL is an alternative. Contact your support representative for more information.

  • A Microsoft CA server

Step 1: Generating a Certificate Signing Request

  1. On a computer with JDK, open Command Prompt.
  2. Use keytool to generate a certificate signing request by executing the following commands:

    Modify the following command with your organization's information and desired certificate duration and security level.

    "C:\Program Files\Java\jdk1.8.0_XXX\bin\keytool.exe" -genkey -alias scepca -keyalg RSA -keypass "changeit" -storepass "changeit" -dname "CN=https://jamf.instancename.com:8443, OU=Department, O=Organization, L=City, ST=State, C=Country" -keystore "C:\path\to\save\keystore.jks" -validity 365 -keysize 2048
    "C:\Program Files\Java\jdk1.8.0_XXX\bin\keytool.exe" -certreq -keyalg RSA -alias scepca -file "C:\path\to\save\certreq.csr" -keystore "C:\path\to\keystore.jks"

    If you are using Java version 8 or later, you will get a warning message during this process. This is expected and can be ignored.

  3. When prompted, enter a password for the keystore. By default, the password is "changeit".

    You can change the default password.

  4. Using Notepad, open the certreq.csr file you generated.
  5. Copy the content of the certreq.csr file.

Step 2: Downloading the Certificate from the Microsoft CA Server

  1. Navigate to your Microsoft CA server. For example: http://CAServerAddress/certsrv/
  2. Enter your username and password.
  3. On the Microsoft Active Directory Certificate Services homepage, click Request a certificate.
  4. Click Advanced certificate request.
  5. Paste the .csr file content in the Saved Request field.
  6. Choose User from the Certificate Template pop-up menu.
  7. Click Submit.

    If your server is not configured with the auto-approve option, have the submitted certificate request manually approved before clicking View the status of a pending certificate request and continuing to step 8.

  8. Select Base 64 encoded.
  9. Click Download certificate, and then rename the certificate as user.cer.
  10. Click Download certificate chain to download the .p7b file.
  11. To extract certificates from the .p7b file, do the following:
    1. Double-click the bundle. By default, it opens in CertMgr.
    2. Expand the file, and then click Certificates.
    3. Right-click the root certificate and click All Tasks > Export to export it as a .cer file. This opens the Certificate Export Wizard.
    4. Click Next.
    5. Select Base-64 encoded X.509 (.CER).
    6. Click Next.
    7. Click Browse to specify a location and rename the file. It is recommended that you rename the root CA certificate to ca.cer.
    8. Click Next.
    9. Click Finish. This exports the file.
    10. Complete steps c-i as needed for the intermediate or issuing CA certificates. It is recommended that you rename the intermediate and issuing CA certificates to int.cer and issuer.cer, respectively.
  12. To import all certificates to the keystore, execute the following commands in this order:
    "C:\Program Files\Java\jdk1.8.0_XXX\bin\keytool.exe" -import -alias root -keystore "C:\path\to\keystore.jks" -trustcacerts -file "C:\path\to\saved\ca.cer"

    If prompted to trust the certificate, enter yes to trust this certificate and all subsequent certificates.

    "C:\Program Files\Java\jdk1.8.0_XXX\bin\keytool.exe" -import -alias intermed -keystore "C:\path\to\keystore.jks" -trustcacerts -file "C:\path\to\saved\int.cer"
    "C:\Program Files\Java\jdk1.8.0_XXX\bin\keytool.exe" -import -alias scepca -keystore "C:\path\to\keystore.jks" -trustcacerts -file "C:\path\to\saved\user.cer"

Step 3: Uploading the Certificate to Jamf Pro

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click Global Management.
  4. Click PKI Certificates.
  5. Click Management Certificate Template.
  6. Click External CA.
  7. Click Signing and CA Certificate Assistant at the bottom of the page.
  8. Upload the keystore.jks file.
  9. Enter the keystore password, and then click Next.

    By default, the keystore password is "changeit". You can change the default password.

  10. From the pop-up menu, choose the user certificate you just uploaded, and then click Next.
  11. If needed, upload a CA certificate for an additional CA.
  12. To save the settings, click Next.
  13. Click Done.