Distributing Certificates Using the Certificate (API) Protocol

After communication between Jamf Pro and Venafi TPP has been established, you can use Jamf Pro to distribute certificates with Venafi as the certificate authority (CA) to computers and mobile devices in your environment using configuration profiles.

Certificates are not deployed immediately. The configuration profile is queued to obtain a certificate. Once the Certificate payload and configuration profile are complete, the configuration profile will be deployed to the device. The timeframe for certificate deployment depends on server load and typically is 5 minutes, or the next device check-in.

Jamf Pro automatically redistributes the certificate via a configuration profile 10 days before the certificate expires. If the 10-day default setting does not meet your needs, contact Jamf Support.


Ensure the requirements for distributing configuration profiles are met by reviewing the requirements in the following sections of the Jamf Pro Documentation:

  1. In Jamf Pro, click Computers or Devices at the top of the sidebar.
  2. Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method.
  3. Select the Certificate payload and click Configure.
  4. In the Select Certificate Option pop-up menu, select your CA.
  5. Enter the subject name.

    You only need to enter the common name (CN) if all of the other subject attributes will be provided by the Venafi TPP.

  6. Enter other certificate attributes, include UPNs, email addresses, and DNS names. The settings will vary depending on your policy.
  7. The Key Type, Key Length, and Signature Hash values on the configuration profile may be overridden by the CA template that is set on the policy in Venafi TPP.

    If the Key Type, Key Length, and Signature Hash values are locked on the policy in Venafi TPP, and the values in the configuration profile do not match the policy, the certificate will fail to be issued.

  8. (Optional) Provide a CA Distinguished Name that will correspond to a CA Template in Venafi TPP.
  9. Provide the Zone that will be the path to the policy in Venafi TPP for issuing certificates, similar to the following:

    \VED should be the root of the path.

  10. Click the Scope tab and configure the scope of the profile.
  11. Click Save .