Revoking DigiCert Certificates
Certificates issued from Jamf Pro using DigiCert as a CA can be automatically revoked from computers and mobile devices. You can enable automatic certificate revocation while you are configuring DigiCert as a CA in Jamf Pro or afterward. When automatic certificate revocation is enabled and scope has been defined in configuration profiles, DigiCert certificates will be automatically revoked from computers or mobile devices when they fall out of scope.
One method to control scope is to use an extension attribute. For example, if you create an extension attribute to indicate an end user's status, such as "active" or "inactive", you can configure scope so that all "inactive" users are out of scope. This will cause certificates on the computers or mobile devices associated with inactive end users to be automatically revoked.
For more information about extension attributes, see the following sections in the Jamf Pro Administrator's Guide:
Procedure
-
Log in to Jamf Pro.
-
In the top-right corner of the page, click Settings .
-
Click Global Management.
-
Click PKI Certificates .
-
Click View in the Manage CA column.
-
Click Edit.
-
To enable automatic certificate revocation, select Enable automatic certificate revocation (default). To disable automatic certificate revocation, select Disable automatic certificate revocation.
-
Click Save.
When viewing the list of DigiCert certificates, revoked certificates will have a Status of "Inactive" and a State of "Revoked".
The Jamf Pro revocation service sends revocation requests either every 30 seconds or in batches of 100, depending on which constraint is met first. If there are less than 100 revocations, the revocation requests are sent 30 seconds after the first configuration profile is set to be removed. If there are 100 or more revocations, the first 100 revocation requests are sent immediately. Subsequent revocation requests are then immediately sent in groups of 100 or are deferred for 30 seconds if less than 100 remain.