Obtaining a SCEP Proxy Signing Certificate from a Microsoft CA Using MMC and Uploading the Certificate to Jamf Pro

This article explains how to obtain a signing certificate from a Microsoft certificate authority (CA) using the Microsoft Management Console (MMC) and upload the certificate to Jamf Pro. When a computer or mobile device that needs a certificate checks in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate. You can enable Jamf Pro to proxy this communication between a SCEP server and the devices in your environment to ensure devices do not need to access the SCEP server. When Jamf Pro is enabled as a SCEP Proxy, Jamf Pro communicates directly with the SCEP server to obtain certificates and install them on computers and mobile devices.

The procedure involves the following steps:

  1. Configuring an External CA in Jamf Pro

  2. Generating a Certificate Signing Request

  3. Uploading the Certificate to Jamf Pro

  4. Creating a Configuration Profile with a SCEP Payload

General Requirements

  • Jamf Pro 10.0.0 or later

  • A Microsoft CA server

  • A Windows PC bound to the same domain as the CA server

  • A certificate template with key usage of digital signature

Step 1: Configuring an External CA in Jamf Pro

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click Global Management.
  4. Click PKI Certificates.
  5. Click Management Certificate Template.
  6. Click External CA.
  7. Check Enable Jamf Pro as SCEP Proxy for configuration profiles.
  8. Enter the base URL for the SCEP server.

    If you are using Jamf Cloud and want to establish communication over HTTPS to your SCEP server, you must use a third-party SSL certificate. If you are using an on-premise Jamf Pro server and an on-premise CA, ensure the server is trusted through the Java CA certificates.

  9. Enter a name for the instance.
  10. (Optional) Enter a subject. You can also enter the subject in the configuration profile.
  11. Choose Dynamic-Microsoft CA from the Challenge Type pop-up menu, and then enter the required information.

Step 2: Generating a Certificate Signing Request

You will use MMC to create a certificate that will act as a signing certificate. The signing certificate allows the Jamf Pro server to make the request on behalf of the device. You need to get a certificate from the Windows CA side and upload it into the Jamf Pro server so it can make requests on its behalf.

  1. On the Windows PC, open the folder containing MMC.
  2. Shift-click on the MMC application and select Run as different user.
  3. Enter the user account credentials, and click OK.
  4. Select and enter the credentials for the service account that will be used for creating the signing certificate. This can be the NDES service account or a separate user account as long as it has permissions to the template.
  5. In MMC, select File > Add/Remove Snap-in.
  6. Select Certificates, click Add, and click OK.
  7. In the sidebar, open Certificates - Current User.
  8. Right-click on Personal, select All Tasks > Request New Certificate, and click Next.
  9. Select Active Directory Enrollment Policy and click Next.
  10. Select the User checkbox, and click Enroll.

    No enhanced key usage or application polices are required for the SCEP proxy signing certificate. However, they will be needed on the template the device or user certificates will be issued from.

  11. Click Finish. The new user certificate issued by the CA will be displayed in the MMC console.
  12. Right-click the new certificate, select All Tasks > Export, and click Next.
  13. Select Yes, export the private key, and click Next.

    The private key must be exportable to create a .pfx file for uploading.

  14. Select Include all certificates in the certification path if possible, click Next.
  15. Select Password, enter a password to secure the certificate, and click Next.
  16. Click Browse, navigate to a location to save the certificate on the PC, and click Next.
  17. Click Finish and exit MMC.
  18. In Windows File Explorer, navigate to the saved certificate.
  19. Upload the saved certificate from the PC to Jamf Pro.

Step 3: Uploading the Certificate to Jamf Pro

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click Global Management.
  4. Click PKI Certificates.
  5. Click Management Certificate Template.
  6. Click External CA.
  7. Click Change Signing and CA Certificates at the bottom of the page.
  8. Click Choose File and select the new certificate.
  9. Enter the keystore password that you used when exporting the certificate.
  10. Click Next.
  11. Confirm the certificate chain information that is displayed, and click Next.
  12. Click Done.

Step 4: Creating a Configuration Profile with a SCEP Payload


You may need to consult with your network administrator to obtain the information required to complete the following steps, such as the subject format and subject alternative name.

  1. In Jamf Pro, select Computers > Configuration Profiles > New.
  2. Select the SCEP payload and click Configure.
  3. Select Use the External Certificate Authority settings to enable Jamf Pro as SCEP proxy for this configuration profile.
  4. (Optional) Enter a new name for the instance or leave it blank if you don't want to override the original name.
  5. (Optional) Select an option from the Redistribute Profile pop-up menu.
  6. Enter the subject in X.500 format, e.g. CN=$COMPUTERNAME.
  7. No other settings need changing in the SCEP payload; the challenges and URLs will be read from the CA settings.
  8. Click Save.
  9. Click the Scope tab and add computers to the configuration profile's scope.
  10. Click Save.
  11. On the scoped computer, you can confirm the certificate was issued in the following locations:
    • Keychain Access

    • System Preferences > Profiles.