Renewing the Jamf Pro JSS Built-In Certificate Authority (CA)

This article describes how to renew Jamf Pro JSS Built-in Certificate Authority to ensure Jamf Pro continues to manage computers, devices, and users.

(On-premise environments only) If you are using a Tomcat SSL/TLS certificate issued from Jamf Pro's built-in certificate authority (CA), you must instead use a trusted certificate before renewing Jamf Pro's built-in CA or you will lose MDM communication with enrolled devices. It is recommended that you switch to a publicly trusted Tomcat SSL/TLS certificate. If you want to move from an SSL/TLS certificate issued from Jamf Pro's built-in CA to an SSL/TLS certificate issued from a third-party CA, see the Enabling SSL on Tomcat with a Public Certificate article.

If it is not possible for you to leverage a third-party external Tomcat SSL/TLS certificate in your environment, contact Jamf Supportfor assistance.


Jamf Pro 10.23.0 or later

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click Global Management.
  4. Click PKI Certificates.
  5. Click a number in the All column. A list of corresponding certificates will be displayed.
  6. Click the certificate with the "Jamf Pro JSS Built-in Certificate Authority" subject to view the certificate details.
  7. Click Renew and confirm the renewal.
  8. (Optional) Verify the new expiration date.
  9. Refresh the page. The renewal status is displayed in Jamf Pro Notifications and an email is sent if email notifications are enabled for your account.
When the renewal process succeeds, the Jamf Pro JSS Built-in Certificate Authority (CA) expiration date is extended by 10 years. All signing certificates issued by the built-in CA are automatically renewed.

When the built-in CA renewal fails, do not trigger the process again. If the expiration date is not extended or you notice issues with the renewed CA (for example, Jamf Pro cannot communicate with managed computers or mobile devices), contact Jamf Support.

Automatic Renewal of MDM Profiles

Automatic renewal of MDM profiles is controlled by the MDM Profile Settings in Jamf Pro. By default, after the built-in certificate authority (CA) is renewed, the MDM profile and the device identity certificate will be renewed the next time an MDM command is issued or the next time the computer and mobile device checks in to Jamf Pro. The MDM Profile Expiration Date field value in the inventory will show the new expiration date. The device identity certificates will expire in two years.

To monitor which MDM profiles are not renewed, you can create a smart computer or mobile device group and set the MDM Profile Renewal Needed – CA Renewed search criteria value to Yes.

For more information, see MDM Profile Settings in the Jamf Pro Documentation.

Further considerations

  • Renewing the built-in CA may affect integrations that use the built-in CA itself or certificates created from a CSR that was signed by the CA. These certificates may need to be re-issued. The affected integrations may include:
    • HTTPS file share distribution point configuration
    • Signing custom configuration profiles
    • SCCM (System Center Configuration Manager) plugin.
  • When Apple Education Support is enabled in your environment, renewing the built-in CA causes existing EDU profiles to be redistributed. This may increase network traffic.

Additional Information

When the Jamf Pro JSS Built-In Certificate Authority (CA) is renewed, all active certificates issued by the built-in CA will be automatically renewed. To view the expiration date of a specified certificate, in Jamf Pro navigate to Global Management > PKI Certificates and click the number displayed in the All column.