Creating a Configuration Profile with a Certificate Payload in Jamf Pro

Important: To issue and revoke certificates with a Venafi integration, the Venafi TPP user configured on the Venafi CA will need the following permissions in Venafi TPP: View, Read, Write, Create, Revoke, Private Key Read. The Venafi TPP user must also have Allow WebSDK Access enabled in Venafi TPP.

You must associate the Venafi PKI instance with a computer or mobile device configuration profile in Jamf Pro so that when the configuration profile is deployed to a device, the correct certificate will be issued to the devices.

You can use the Certificate payload in a configuration profile to issue the Venafi certificates. After the configuration profile is installed on the devices and the certificates are issued, you can redistribute or revoke the certificates from a device if it falls out of scope.

One method to control scope is to use an extension attribute. For example, if you create an extension attribute to indicate an end user's status, such as "active" or "inactive", you can configure scope so that all "inactive" users are out of scope. This will cause certificates on the computers or mobile devices associated with inactive end users to be automatically revoked.

For more information about extension attributes, see the following sections in the Jamf Pro Administrator's Guide:

  1. Log in to Jamf Pro.

  2. Create a new computer or mobile device configuration profile.

  3. Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method.

  4. Select the Certificate payload and click Configure.

  5. In the Select Certificate Option pop-up menu, select your Venafi CA.

  6. Enter the subject name.

    Note: You only need to enter the common name (CN) if all of the other subject attributes will be provided by the Venafi TPP.

  7. Enter other certificate attributes, include UPNs, email addresses, and DNS names. The settings will vary depending on your policy.

  8. The Key Type, Key Length, and Signature Hash values on the configuration profile may be overridden by the CA Template that is set on the Policy in Venafi TPP.

    Note: If the Key Type, Key Length, and Signature Hash values are locked on the Policy in Venafi TPP, and the values in the configuration profile do not match the Policy, the certificate will fail to be issued.

  9. (Optional) Provide a CA Distinguished Name that will correspond to a CA Template in Venafi TPP.

    Note: If the CA Distinguished Name and the Zone are set in Jamf Pro and the CA Distinguished Name is different than the CA Template specified on the Policy in Venafi TPP, the CA Distinguished Name will override the CA Template used for issuing certificates.

  10. Provide the Zone that will be the path to the Policy in Venafi TPP for issuing certificates, similar to the following: 

    \VED\Policy\<PATH>\<TO>\<POLICY>

    Note: \VED should be the root of the path. 

  11. Click the Scope tab and configure the scope of the profile.

  12. Click Save.

Related Information

For more information, see the following sections in the Jamf Pro Administrator's Guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.