Distributing Certificates Using the Certificate (API) Protocol
After communication between Jamf Pro and Venafi TPP has been established, you can use Jamf Pro to distribute certificates with Venafi as the certificate authority (CA) to computers and mobile devices in your environment using configuration profiles.
Certificates are not deployed immediately. The configuration profile is queued to obtain a certificate. Once the Certificate payload and configuration profile are complete, the configuration profile will be deployed to the device. The timeframe for certificate deployment depends on server load and typically is 5 minutes, or the next device check-in.
Requirements
Ensure the requirements for distributing configuration profiles are met by reviewing the requirements in the following sections of the Jamf Pro Administrator's Guide:
-
Log in to Jamf Pro.
-
Create a new computer or mobile device configuration profile.
-
Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method.
-
Select the Certificate payload and click Configure.
-
In the Select Certificate Option pop-up menu, select your Venafi CA.
-
Enter the subject name.
Note: You only need to enter the common name (CN) if all of the other subject attributes will be provided by the Venafi TPP.
-
Enter other certificate attributes, include UPNs, email addresses, and DNS names. The settings will vary depending on your policy.
-
The Key Type, Key Length, and Signature Hash values on the configuration profile may be overridden by the CA Template that is set on the Policy in Venafi TPP.
Note: If the Key Type, Key Length, and Signature Hash values are locked on the Policy in Venafi TPP, and the values in the configuration profile do not match the Policy, the certificate will fail to be issued.
-
(Optional) Provide a CA Distinguished Name that will correspond to a CA Template in Venafi TPP.
Note: If the CA Distinguished Name and the Zone are set in Jamf Pro and the CA Distinguished Name is different than the CA Template specified on the Policy in Venafi TPP, the CA Distinguished Name will override the CA Template used for issuing certificates.
-
Provide the Zone that will be the path to the Policy in Venafi TPP for issuing certificates, similar to the following:
\VED\Policy\<PATH>\<TO>\<POLICY>
Note: \VED should be the root of the path.
-
Click the Scope tab and configure the scope of the profile.
-
Click Save.