Obtaining a SCEP Proxy Signing Certificate from a Microsoft CA Using OpenSSL and Uploading the Certificate to Jamf Pro

This article explains how to obtain a signing certificate from a Microsoft certificate authority (CA) using OpenSSL and upload the certificate to Jamf Pro. When a computer or mobile device that needs a certificate checks in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate. You can enable Jamf Pro to proxy this communication between a SCEP server and the devices in your environment to ensure devices do not need to access the SCEP server. When Jamf Pro is enabled as a SCEP Proxy, Jamf Pro communicates directly with the SCEP server to obtain certificates and install them on computers and mobile devices.

The procedure involves the following steps:

  1. Generating a Certificate Signing Request

  2. Downloading the Certificate from the Microsoft CA Server

  3. Uploading the Certificate to Jamf Pro

General Requirements

  • Jamf Pro 10.0.0 or later

  • macOS or Linux

  • A Microsoft CA server

Step 1: Generating a Certificate Signing Request

  1. Open Terminal on a Linux or Mac computer.
  2. Generate a new certificate signing request by executing the following command:
    /usr/bin/openssl req -out /path/to/csr.csr -new -newkey rsa:2048 -nodes -keyout /path/to/private.key
  3. Follow the prompts to complete the CSR creation process.

Step 2: Downloading the Certificate from the Microsoft CA Server

Choose one of the following methods depending on if your organization has web enrollment enabled.

Method 1: Your organization has web enrollment enabled

  1. Navigate to the following webpage: http://YourCAServerAddress/certsrv/
  2. Enter your username and password.
  3. On the Microsoft Active Directory Certificate Services homepage, click Request a certificate.
  4. Click advanced certificate request.
  5. Paste the CSR file content in the Saved Request field.
  6. Choose a certificate template from the Certificate Template pop-up menu.

    You can use any certificate template that supports digital signature. Consult your certificate administrator if needed.

  7. Click Submit.

    If your server is not configured with the auto-approve option, have the submitted certificate request manually approved before clicking View the status of a pending certificate request and continuing to step 8.

  8. Select Base 64 encoded.
  9. Click Download certificate, and then rename the certificate as user.cer.
  10. Click Download certificate chain to download the .p7b file.
  11. To extract certificates from the .p7b file, do the following:
    1. Double-click the file and enter your Keychain Access authentication.
    2. In Keychain Access, control-click the root certificate to export it as a .cer file. You can now rename and save it elsewhere. The recommended file name is ca.cer.
    3. Click Save.
  12. (Optional) If you have an intermediate or issuing CA certificate, export and rename those as well. The recommended file names are int.cer and issuer.cer, respectively.

Method 2: Your organization does not have web enrollment enabled

You can request a certificate using a Windows PC.

  1. Open Command Prompt.
  2. Execute the following command:
    certreq -submit -attrib "CertificateTemplate:<SIGNINGTemplate name>"
  3. When prompted, provide the CSR file, the CA to issue from, and an output location of the client.cer file.
  4. You will need the CA certificate to build the chain. Your certificate administrator should be able to provide the CA certificate. Otherwise, you can execute the following command:
    certutil -ca.cert output/path/root_ca.cer
  5. Copy the root_ca.cer and the client.cer files back to the location where the CSR was created.
  6. Execute the following command:
    openssl pkcs12 -export -out /path/to/<choosename>.p12 -inkey /path/to/private.key -in /path/to/client.cer -certfile /path/to/root_ca.cer
  7. When prompted, enter an export password.

Step 3: Uploading the Certificate to Jamf Pro

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click Global Management.
  4. Click PKI Certificates.
  5. Click Management Certificate Template.
  6. Click External CA.
  7. Click Signing and CA Certificate Assistant at the bottom of the page.
  8. Upload the .p12 file.
  9. Enter the export password that you set previously, and then click Next.
  10. From the pop-up menu, choose the user certificate you just uploaded, and then click Next.
  11. (Optional) If needed, upload a CA certificate for an additional CA.
  12. To save the settings, click Next.
  13. Click Done.