Configuring the Jamf AD CS Connector (IIS) to Use an Alternate Client Certificate

The AD CS connector creates secure client certificates when installed. However, if your organization prefers to use an internal CA or a 3rd party CA, you can configure the AD CS Connector use an alternate client certificate.

Requirements

  • The client certificate that you want to use.

  • The client certificate is in .pfx or .p12 format (the format is usually provided by your PKI team).

  • The client certificate is already installed and in the server's certificate trust store.

  1. Click the Start menu, select Run, and then enter certlm.msc to open the Certificate Manager tool.

  2. Navigate to the client certificate you want to use, right-click on the identity, and select All Tasks > Export.

  3. The Certificate Export Wizard guides you through the export process.

    When prompted, do not export the private key, but instead select the Base-64 encoded X.509 (.cer) export file format.

  4. Open the exported .cer file with Notepad and delete the following lines: 
    -----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
  5. Remove the formatting Notepad created to make the certificate content display on one line.
    You can do this by doing one of the following:

    • Manually remove the formatting.

    • Copy and paste the content into a browser window and copy it back to Notepad.

    The result will look similar to the following:

  6. Open Internet Information Services (IIS) Manager.
  7. In the Connections sidebar, open the Sites folder, click on the Jamf AD CS Connector site (by default called "AdcsProxy"), and double-click Configuration Editor.

  8. Click the Section pop-up menu, and navigate to system.webServer > security > authentication > iisClientCertificateMappingAuthentication.

  9. Click oneToOneMappings, and click the ... button to the right of the configuration entry.

    The editor displays the settings for client configuration. The certificate value is the base-64 public key for the client identity.
  10. Click certificate in the Properties list and replace the long string in the right field (the base-64 encoded certificate) with the string you obtained earlier using Notepad.

  11. In the Actions sidebar, click Apply to save the changes. Then close the Configuration Editor window.

  12. Return to the AdcsProxy site in the IIS Manager window and click Restart in the Actions sidebar.