Distributing Certificates Using the Certificate (API) Protocol

After communication between Jamf Pro and DigiCert PKI Platform has been established, you can use Jamf Pro to distribute certificates with DigiCert as the certificate authority (CA) to computers and mobile devices in your environment using configuration profiles.

Certificates are not deployed immediately. The configuration profile is queued to obtain a certificate. Once the Certificate payload and configuration profile are complete, the configuration profile will be deployed to the device. The timeframe for certificate deployment depends on server load and typically is 5 minutes, or the next device check-in.
Note:

Jamf Pro automatically redistributes the certificate via a configuration profile 10 days before the certificate expires. If the 10-day default setting does not meet your needs, contact Jamf Support.

The procedure requires configuring Jamf Pro and the DigiCert PKI Platform simultaneously. Each configuration is unique to your environment, and additional steps may be necessary.

The procedure involves the following steps:

  1. Adding a New Certificate Profile in the DigiCert PKI Platform

  2. Configuring DigiCert as a Certificate Authority in Jamf Pro

  3. Distributing DigiCert Certificates to Devices Using Configuration Profiles
    Note:

    Certificates are not deployed immediately. The configuration profile is queued to obtain a certificate. Once the Certificate payload and configuration profile are complete, the configuration profile will be deployed to the device. The timeframe for certificate deployment depends on server load and typically is 5 minutes, or the next device check-in.

  4. Verifying That DigiCert Certificates Were Properly Issued to Devices

Step 1: Adding a New Certificate Profile in the DigiCert PKI Platform

  1. Log in to the DigiCert PKI Platform.
  2. Navigate to Settings > Manage certificate profiles.
  3. Click Add certificate profiles to set up a new certificate profile and proceed with the onscreen instructions.
  4. Continue to add certificate profiles until a profile has been created for each DigiCert certificate.

Step 2: Configuring DigiCert as a Certificate Authority in Jamf Pro

The following steps are required by the CA so the Jamf Pro server can make certificate-authenticated requests to the CA as a registered authority (RA).

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Global Management section, click PKI Certificates .
  3. Click Configure New Certificate Authority .
  4. Select "DigiCert" as the PKI Provider, click Next, and proceed with the DigiCert Certificate Profiles Assistant.
  5. Copy the CSR from Jamf Pro and click Next.
  6. When prompted, navigate to the DigiCert PKI Platform website (https://pki-manager.symauth.com/pki-manager/), and complete the following steps:
    1. Enter your PIN. If necessary, choose which certificate should be used for authentication.
    2. Navigate to Settings > Get an RA certificate.
    3. Paste the CSR that you copied from Jamf Pro, enter a certificate friendly name, and click Continue.
    4. Click Download to download the generated DigiCert RA certificate and click Done.
  7. Open the downloaded RA certificate file (.p7b) in any text editor, and copy the contents.
  8. In Jamf Pro, click Next.
  9. Enter the "DigiCert CA Configuration Name", paste the copied RA certificate into the RA Certificate Copied from DigiCert field, and click Next.
  10. If you want to automatically revoke certificates from computers or mobile devices, select Enable automatic certificate revocation. For more information, see Revoking DigiCert Certificates.
  11. Click Done.
If the new Certificate Authority is configured successfully, it will be listed in the PKI Certificates table.

Step 3: Distributing DigiCert Certificates to Devices Using Configuration Profiles

After DigiCert has been added as a CA in Jamf Pro and communication between Jamf Pro and DigiCert has been established, you can distribute a certificate with DigiCert as the CA using configuration profiles in Jamf Pro. A configuration profile allows you to define settings that allow computers and mobile devices to install the CA certificate as well as allow users to access resources such as VPN or Wi-Fi.

Using configuration profiles, you can distribute the CA certificate directly to devices using the Certificate payload in Jamf Pro.
Note:

Jamf Pro automatically redistributes the certificate via a configuration profile 10 days before the certificate expires. If the 10-day default setting does not meet your needs, contact Jamf Support.

Requirements

Ensure the requirements for distributing configuration profiles are met by reviewing the requirements in the following sections of the Jamf Pro Documentation:

  1. In Jamf Pro, click Computers or Devices at the top of the sidebar.
  2. Click Configuration Profiles in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method. Only payloads and settings that apply to the selected level are displayed for the profile.
  5. Select the Certificate payload, click Configure, and do the following:
    1. Enter a display name and then choose a DigiCert instance from the Select Certificate Option pop-up menu.
    2. Use the settings on the pane to specify information about the CA.
  6. Configure additional payloads for the profile to allow users to access resources such as VPN or Wi-Fi. Depending on how you enable devices to install the CA certificate, you may need to add the certificate to the additional payload as a trusted certificate.
  7. Click the Scope tab and configure the scope of the profile. If your PKI has been configured to automatically revoke certificates, you must configure the scope of the profile to ensure the certificates are automatically revoked from devices that fall out of the scope. For more information, see Revoking DigiCert Certificates.
  8. Click Save and select Distribute to All if you want to issue DigiCert certificates to all devices.
    Important:

    Inventory information for a user must be complete to properly issue a DigiCert certificate to a device. If there is incomplete data in inventory information for a user in Jamf Pro, DigiCert certificates will be issued with "N/A" recorded for the missing attributes.

  9. Repeat the process for all configuration profiles configured in Jamf Pro to issue DigiCert Managed PKI services certificates to computers or mobile devices.

Step 4: Verifying That DigiCert Certificates Were Properly Issued to Devices

To verify that a DigiCert certificate was properly issued to a device, navigate to the device record in Jamf Pro, click the History tab, open the Management History category, and confirm the certificate process completed successfully.