Integrating with DigiCert Using Jamf Pro
You can issue DigiCert certificates to computers and mobile devices using either the Certificate or SCEP payload within a Jamf Pro configuration profile.
Note: Inventory information for a user must be complete to properly issue a DigiCert certificate to a computer or mobile device. If user inventory information in Jamf Pro is incomplete, DigiCert certificates will be issued with "N/A" recorded for the missing attributes.
Requirements
-
DigiCert PKI Platform
-
Web browser with the DigiCert PKI Platform
-
DigiCert administrator certificate added to your local keychain
-
Push certificate configured in Jamf Pro
Glossary
-
CA: Certificate Authority
-
CN: Common Name
-
CSR: Certificate Signing Request
-
OID: Object Identifier
-
PKI: Public Key Infrastructure
-
RA: Registration Authority
-
SCEP: Simple Certificate Enrollment Protocol
Procedure
The procedure requires configuring Jamf Pro and the DigiCert PKI Platform simultaneously. Each configuration is unique to your environment, and additional steps may be necessary.
The procedure involves the following steps:
-
Add a new RA certificate profile in the DigiCert PKI Platform.
-
Configure a CA in Jamf Pro.
-
Distribute certificates to devices using configuration profiles.
Note: Certificates are not deployed immediately. The configuration profile is queued to obtain a certificate. Once the Certificate payload and configuration profile are complete, the configuration profile will be deployed to the device. The timeframe for certificate deployment depends on server load and typically is 5 minutes, or the next device check-in.
-
Verify that DigiCert certificates were properly issued to computers.
Step 1: Adding a new certificate profile in the DigiCert PKI Platform
-
Log in to the DigiCert PKI Platform.
-
Navigate to Settings > Manage certificate profiles.
-
Click Add certificate profiles to set up a new certificate profile and proceed with the onscreen instructions.
-
Continue to add certificate profiles until a profile has been created for each DigiCert certificate.
Step 2: Configuring DigiCert as a Certificate Authority in Jamf Pro
The following steps are required by the CA so the Jamf Pro server can make certificate-authenticated requests to the CA as a registered authority (RA).
-
Log in to Jamf Pro.
-
In the top-right corner of the page, click Settings .
-
Click Global Management.
-
Click PKI Certificates .
-
Click Configure New Certificate Authority.
-
Select "DigiCert" as the PKI Provider, click Next, and proceed with the DigiCert Certificate Profiles Assistant.
-
Copy the CSR from Jamf Pro and click Next.
-
When prompted, navigate to the DigiCert PKI Platform website (https://pki-manager.symauth.com/pki-manager/), and complete the following steps:
-
Enter your PIN. If necessary, choose which certificate should be used for authentication.
-
Navigate to Settings > Get an RA certificate.
-
Paste the CSR that you copied from Jamf Pro, enter a certificate friendly name, and click Continue.
-
Click Download to download the generated DigiCert RA certificate and click Done.
-
-
Open the downloaded RA certificate file (.p7b) in any text editor, and copy the contents.
-
In Jamf Pro, click Next.
-
Enter the "DigiCert CA Configuration Name", paste the copied RA certificate into the RA Certificate Copied from DigiCert field, and click Next.
-
If you want to automatically revoke certificates from computers or mobile devices, select Enable automatic certificate revocation.
For more information, see Revoking DigiCert Certificates. -
Click Done. If the new Certificate Authority is configured successfully, it will be listed in the PKI Certificates table.
Step 3: Distributing DigiCert Certificates to Devices Using Configuration Profiles
After DigiCert has been added as a CA in Jamf Pro and communication between Jamf Pro and DigiCert has been established, you can distribute a certificate with DigiCert as the CA using configuration profiles in Jamf Pro. A configuration profile allows you to define settings that allow computers and mobile devices to install the CA certificate as well as allow users to access resources such as VPN or Wi-Fi.
Using configuration profiles, you can allow devices to install the CA certificate in the following ways:
-
Distribute the CA certificate directly to devices—You can distribute the CA certificate directly to devices using the Certificate payload in Jamf Pro.
-
Enable devices to communicate with the SCEP server—If your environment supports the Simple Certificate Enrollment Protocol (SCEP), you can define settings that enable devices to communicate with your SCEP server to obtain the CA certificate.
In addition, ensure the requirements for distributing configuration profiles are met. See the requirements in the following sections of the Jamf Pro Administrator's Guide:
-
Log in to Jamf Pro.
-
Create a computer or mobile device configuration profile:
-
To create a computer configuration profile, click Computers at the top of the page, and then click Configuration Profiles.
-
To create a mobile device configuration profile, click Devices at the top of the page, and then click Configuration Profiles.
-
-
Click New.
-
Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method. Only payloads and settings that apply to the selected level are displayed for the profile.
-
Do one of the following to configure how devices obtain and install the CA certificate:
-
SCEP—To enable devices to communicate directly with the SCEP server to obtain the CA certificate, select the SCEP payload, click Configure, and do the following:
-
Enter the provided SCEP enrollment URL from the DigiCert Certificate Profile.
-
Enter the name of the certificate authority that appears on the DigiCert Configuration Profile in the Name field.
-
Choose "Dynamic-DigiCert" from the Challenge Type pop-up menu and select the DigiCert PKI instance you want to use.
-
Choose the Certificate Profile ID and the Seat ID you want to use for the SCEP challenge.
Notes:
-
The OIDs listed in the Configuration Profile setup page in Jamf Pro relate to the OIDs of the Certificate Profile records in the DigiCert PKI Manager. You can compare the OIDs to help ensure the Configuration Profile settings are valid and align with settings defined in the Certificate Profile record within the DigiCert PKI Manager.
-
The combination of a Certificate Profile ID and Seat ID can only be used once for each configuration profile.
-
You should use a Certificate Profile ID only once for each configuration profile. Reusing a Certificate Profile ID for multiple configuration profiles of the same device type can cause certificates to be incorrectly assigned. However, you can reuse the same Certificate Profile ID for configuration profiles of different device types (e.g., one computer configuration profile and one mobile device configuration profile).
-
It is recommended that the Seat ID used for SCEP profiles is the same as the CN used in the Subject field.
-
Depending on the requirements of the Certificate Profile being used in DigiCert, you may be required to configure additional settings (e.g., Key Size, Use a digital signature, and Use for key encipherment).
-
-
-
API (Certificate payload)—To distribute the CA certificate directly to devices, select the Certificate payload, click Configure, and do the following:
-
Enter a display name and then choose a DigiCert instance from the Select Certificate Option pop-up menu.
-
Use the settings on the pane to specify information about the CA.
-
-
-
Configure additional payloads for the profile to allow users to access resources such as VPN or Wi-Fi. Depending on how you enable devices to install the CA certificate, you may need to add the certificate to the additional payload as a trusted certificate.
-
Click the Scope tab and configure the scope of the profile. If your PKI has been configured to automatically revoke certificates, you must configure the scope of the profile to ensure the certificates are automatically revoked from devices that fall out of the scope. For more information, see Revoking DigiCert Certificates.
-
Click Save and select Distribute to All if you want to issue DigiCert certificates to all devices.
Important: Inventory information for a user must be complete to properly issue a DigiCert certificate to a device. If there is incomplete data in inventory information for a user in Jamf Pro, DigiCert certificates will be issued with "N/A" recorded for the missing attributes.
-
Repeat the process for all configuration profiles configured in Jamf Pro to issue DigiCert Managed PKI services certificates to computers or mobile devices.
Step 4: Verifying that DigiCert certificates were properly issued to devices
To verify that a DigiCert certificate was properly issued to a device, navigate to the device record in Jamf Pro, click the History tab, open the Management History category, and confirm the certificate process completed successfully.
Further Considerations
-
DigiCert certificates are issued multiple times to computers during profile re-enrollment. If deleting an MDM profile from a computer or removing it by executing the command, sudo jamf removeFramework, active DigiCert certificates will be issued multiple times during profile re-enrollment.
-
When configuring the Wi-Fi payload in configuration profiles, DigiCert certificates will not be displayed under "Trusted Certificates".