Obtaining a SCEP Proxy Signing Certificate from a Microsoft CA Using Terminal and Uploading the Certificate to Jamf Pro

This article explains how to obtain a signing certificate from a Microsoft certificate authority (CA) using Terminal and upload the certificate to Jamf Pro. When a computer or mobile device that needs a certificate checks in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate. You can enable Jamf Pro to proxy this communication between a SCEP server and the devices in your environment to ensure devices do not need to access the SCEP server. When Jamf Pro is enabled as a SCEP Proxy, Jamf Pro communicates directly with the SCEP server to obtain certificates and install them on computers and mobile devices.

The procedure involves the following steps:

  1. Generating a Certificate Signing Request

  2. Downloading the Certificate from the Microsoft CA Server

  3. Uploading the Certificate to Jamf Pro

General Requirements

  • Jamf Pro 10.0.0 or later
  • Java Development Kit (JDK) with the keytool utility

    If you do not have keytool, OpenSSL is an alternative.

  • A Microsoft CA server

Step 1: Generating a Certificate Signing Request

  1. On a computer with JDK, open Terminal.
  2. Use keytool to generate a certificate signing request by executing the following commands:

    Modify the following command with your organization's information and desired certificate duration and security level.

    sudo keytool -genkey -alias scepca -keyalg RSA -keypass "changeit" -storepass "changeit" -dname "CN=https://jamf.instancename.com:8443, OU=Department, O=Organization, L=City, ST=State, C=Country" -keystore "/path/to/save/keystore.jks" -validity 365 -keysize 2048
    sudo keytool -certreq -keyalg RSA -alias scepca -file /path/to/save/certreq.csr -keystore /path/to/save/keystore.jks

    If you are using Java version 8 or later, you will get a warning message during this process. This is expected and can be ignored.

  3. When prompted, enter a password for the keystore. By default, the password is "changeit".

    You can change the default password.

  4. Using a preferred text editor, open the certreq.csr file you generated.
  5. Copy the content of the certreq.csr file.

Step 2: Downloading the Certificate from the Microsoft CA Server

  1. Navigate to your Microsoft CA server. For example: http://CAServerAddress/certsrv/
  2. Enter your username and password.
  3. On the Microsoft Active Directory Certificate Services homepage, click Request a certificate.
  4. Click Advanced certificate request.
  5. Paste the .csr file content in the Saved Request field.
  6. Choose User from the Certificate Template pop-up menu.
  7. Click Submit.

    If your server is not configured with the auto-approve option, have the submitted certificate request manually approved before clicking View the status of a pending certificate request and continuing to step 8.

  8. Select Base 64 encoded.
  9. Click Download certificate, and then rename the certificate as user.cer.
  10. Click Download certificate chain to download the .p7b file.
  11. To extract certificates from the .p7b file, do the following:
    1. Double-click the file and enter your Keychain Access authentication.
    2. In Keychain Access, control-click the root certificate to export it as a .cer file. You can now rename and save it elsewhere. The recommended file name is ca.cer.
    3. Click Save.
  12. (Optional) If you have an intermediate or issuing CA certificate, export and rename those as well. The recommended file names are int.cer and issuer.cer, respectively.
  13. To import all certificates to the keystore, execute the following commands in this order:
    sudo keytool -import -alias root -keystore /path/to/saved/keystore.jks -trustcacerts -file /path/to/saved/ca.cer

    If prompted to trust the certificate, enter "yes" to trust this certificate and all subsequent certificates.

    sudo keytool -import -alias intermed -keystore /path/to/saved/keystore.jks -trustcacerts -file /path/to/saved/int.cer
    sudo keytool -import -alias scepca -keystore /path/to/saved/keystore.jks -trustcacerts -file /path/to/saved/user.cer

Step 3: Uploading the Certificate to Jamf Pro

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click Global Management.
  4. Click PKI Certificates.
  5. Click Management Certificate Template.
  6. Click External CA.
  7. Click Signing and CA Certificate Assistant at the bottom of the page.
  8. Upload the keystore.jks file.
  9. Enter the keystore password, and then click Next.

    By default, the keystore password is "changeit". You can change the default password.

  10. From the pop-up menu, choose the user certificate you just uploaded, and then click Next.
  11. (Optional) If needed, upload a CA certificate for an additional CA.
  12. To save the settings, click Next.
  13. Click Done.