Distributing Certificates Using the SCEP Protocol

After communication between Jamf Pro and DigiCert PKI Platform has been established, you can use Jamf Pro to distribute certificates with DigiCert as the certificate authority (CA) to computers and mobile devices in your environment using configuration profiles.

When certificates are distributed using the SCEP protocol, traffic goes directly to DigiCert PKI Platform. Traffic does not proxy through Jamf Pro. This enables both dynamic challenges and automatic revocation to harden your certificate security in SCEP workflows.

The procedure involves the following steps:

  1. Adding a New Certificate Profile in the DigiCert PKI Platform

  2. Configuring DigiCert as a Certificate Authority in Jamf Pro

  3. Distributing DigiCert Certificates to Devices Using Configuration Profiles

  4. Verifying that DigiCert Certificates Were Properly Issued to Devices

Step 1: Adding a New Certificate Profile in the DigiCert PKI Platform

  1. Log in to the DigiCert PKI Platform.
  2. Navigate to Settings > Manage certificate profiles.
  3. Click Add certificate profiles to set up a new certificate profile and proceed with the onscreen instructions.
  4. Continue to add certificate profiles until a profile has been created for each DigiCert certificate.

Step 2: Configuring DigiCert as a Certificate Authority in Jamf Pro

The following steps are required by the CA so the Jamf Pro server can make certificate-authenticated requests to the CA as a registered authority (RA).

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Global Management section, click PKI Certificates .
  3. Click Configure New Certificate Authority .
  4. Select "DigiCert" as the PKI Provider, click Next, and proceed with the DigiCert Certificate Profiles Assistant.
  5. Copy the CSR from Jamf Pro and click Next.
  6. When prompted, navigate to the DigiCert PKI Platform website (https://pki-manager.symauth.com/pki-manager/), and complete the following steps:
    1. Enter your PIN. If necessary, choose which certificate should be used for authentication.
    2. Navigate to Settings > Get an RA certificate.
    3. Paste the CSR that you copied from Jamf Pro, enter a certificate friendly name, and click Continue.
    4. Click Download to download the generated DigiCert RA certificate and click Done.
  7. Open the downloaded RA certificate file (.p7b) in any text editor, and copy the contents.
  8. In Jamf Pro, click Next.
  9. Enter the "DigiCert CA Configuration Name", paste the copied RA certificate into the RA Certificate Copied from DigiCert field, and click Next.
  10. If you want to automatically revoke certificates from computers or mobile devices, select Enable automatic certificate revocation. For more information, see Revoking DigiCert Certificates.
  11. Click Done.
If the new Certificate Authority is configured successfully, it will be listed in the PKI Certificates table.

Step 3: Distributing DigiCert Certificates to Devices Using Configuration Profiles

After DigiCert has been added as a CA in Jamf Pro and communication between Jamf Pro and DigiCert has been established, you can distribute a certificate with DigiCert as the CA using configuration profiles in Jamf Pro. A configuration profile allows you to define settings that allow computers and mobile devices to install the CA certificate as well as allow users to access resources such as VPN or Wi-Fi.

Requirements

Ensure the requirements for distributing configuration profiles are met by reviewing the requirements in the following sections of the Jamf Pro Documentation:

  1. In Jamf Pro, click Computers or Devices at the top of the sidebar.
  2. Click Configuration Profiles in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method. Only payloads and settings that apply to the selected level are displayed for the profile.
  5. To enable devices to communicate directly with the SCEP server to obtain the CA certificate, select the SCEP payload, click Configure, and do the following:
    1. Enter the provided SCEP enrollment URL from the DigiCert Certificate Profile.
    2. Enter the name of the certificate authority that appears on the DigiCert Configuration Profile in the Name field.
    3. Choose Dynamic-DigiCert from the Challenge Type pop-up menu and select the DigiCert PKI instance you want to use.
    4. Choose the Certificate Profile ID and the Seat ID you want to use for the SCEP challenge.
      Note:

      The OIDs listed in the Configuration Profile setup page in Jamf Pro relate to the OIDs of the Certificate Profile records in the DigiCert PKI Manager. You can compare the OIDs to help ensure the Configuration Profile settings are valid and align with settings defined in the Certificate Profile record within the DigiCert PKI Manager.

      The combination of a Certificate Profile ID and Seat ID can only be used once for each configuration profile.

      You should use a Certificate Profile ID only once for each configuration profile. Reusing a Certificate Profile ID for multiple configuration profiles of the same device type can cause certificates to be incorrectly assigned. However, you can reuse the same Certificate Profile ID for configuration profiles of different device types (e.g., one computer configuration profile and one mobile device configuration profile).

      It is recommended that the Seat ID used for SCEP profiles is the same as the CN used in the Subject field.

      Depending on the requirements of the Certificate Profile being used in DigiCert, you may be required to configure additional settings (e.g., Key Size, Use a digital signature, and Use for key encipherment).

  6. Configure additional payloads for the profile to allow users to access resources such as VPN or Wi-Fi. Depending on how you enable devices to install the CA certificate, you may need to add the certificate to the additional payload as a trusted certificate.
  7. Click the Scope tab and configure the scope of the profile. If your PKI has been configured to automatically revoke certificates, you must configure the scope of the profile to ensure the certificates are automatically revoked from devices that fall out of the scope. For more information, see Revoking DigiCert Certificates.
  8. Click Save and select Distribute to All if you want to issue DigiCert certificates to all devices.
    Important:

    Inventory information for a user must be complete to properly issue a DigiCert certificate to a device. If there is incomplete data in inventory information for a user in Jamf Pro, DigiCert certificates will be issued with "N/A" recorded for the missing attributes.

  9. Repeat the process for all configuration profiles configured in Jamf Pro to issue DigiCert Managed PKI services certificates to computers or mobile devices.

Step 4: Verifying That DigiCert Certificates Were Properly Issued to Devices

To verify that a DigiCert certificate was properly issued to a device, navigate to the device record in Jamf Pro, click the History tab, open the Management History category, and confirm the certificate process completed successfully.