Renewing the Jamf Pro JSS Built-In Certificate Authority (CA)

This article describes how to renew Jamf Pro JSS Built-in Certificate Authority to ensure Jamf Pro continues to manage computers, devices, and users.

(On-premise environments only) Jamf Pro recommends using a publicly trusted SSL/TLS certificate for Tomcat. If you are using a Tomcat SSL/TLS certificate issued from Jamf Pro's built-in certificate authority (CA), you must transition to a trusted certificate before renewing Jamf Pro's built-in CA, or you will lose MDM communication with enrolled iOS devices. If you want to move from an SSL/TLS certificate issued from Jamf Pro's built-in CA to an SSL/TLS certificate issued from a third-party CA, see the Enabling SSL on Tomcat with a Public Certificate article.

If it is not possible for you to leverage a third-party external Tomcat SSL/TLS certificate in your environment, contact Jamf Support for assistance.


Jamf Pro 10.23.0 or later

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Global section, click PKI certificates .
  3. Click a number in the All column. A list of corresponding certificates will be displayed.
  4. Click the certificate with the "Jamf Pro JSS Built-in Certificate Authority" subject to view the certificate details.
  5. Click Renew and confirm the renewal.
  6. (Optional) Verify the new expiration date.
  7. Refresh the page. The renewal status is displayed in Jamf Pro Notifications and an email is sent if email notifications are enabled for your account.
When the renewal process succeeds, the Jamf Pro JSS Built-in Certificate Authority (CA) expiration date is extended by 10 years. All signing certificates issued by the built-in CA are automatically renewed.

When the built-in CA renewal fails, do not trigger the process again. If the expiration date is not extended or you notice issues with the renewed CA (for example, Jamf Pro cannot communicate with managed computers or mobile devices), contact Jamf Support.

Automatic Renewal of MDM Profiles

Automatic renewal of MDM profiles is controlled by the MDM Profile Settings in Jamf Pro. By default, after the built-in certificate authority (CA) is renewed, the MDM profile and the device identity certificate will be renewed the next time an MDM command is issued or the next time the computer and mobile device checks in to Jamf Pro. The MDM Profile Expiration Date field value in the inventory will show the new expiration date. The device identity certificates will expire in two years.
  • The validity period of the CA certificate displayed on mobile devices does not update after the MDM profile is renewed following a CA certificate renewal. This is a display issue that does not affect functionality. Jamf recommends that you view all CA certificate information in Jamf Pro, including the validity period.

  • To monitor which MDM profiles are not renewed, Jamf recommends that you create a smart computer or mobile device group and set the MDM Profile Renewal Needed – CA Renewed search criteria value to Yes.

For more information, see MDM Profile Settings in the Jamf Pro Documentation.

Further considerations

  • Renewing the built-in CA may affect integrations that use the built-in CA itself or certificates created from a CSR that was signed by the CA. These certificates may need to be re-issued. The affected integrations may include:
    • HTTPS file share distribution point configuration
    • Signing custom configuration profiles
    • SCCM (System Center Configuration Manager) plugin.
  • When Apple Education Support is enabled in your environment, renewing the built-in CA causes existing EDU profiles to be redistributed. This may increase network traffic.

Additional Information

When the Jamf Pro JSS Built-In Certificate Authority (CA) is renewed, all active certificates issued by the built-in CA will be automatically renewed. To view the expiration date of a specified certificate, in Jamf Pro navigate to Global Management > PKI Certificates and click the number displayed in the All column.