The following table lists common issues that you may encounter when integrating with Venafi using Jamf Pro and how to resolve them.


The payload settings for the configuration profile scoped to the device are not applying to the certificates that are issued to the devices.

Venafi TPP has an CSR Generation setting that allows users to configure the policy to use "Service Generated CSR" or "User provided CSR". If you see settings on the payload that are not reflected on the issued certificate, verify that the Venafi TPP setting is set to "User provided CSR" in Venafi TPP. See screen shot for reference.

The configuration profile and certificate have been removed from the device. The Jamf PKI Proxy logs show the certificate was revoked. In Jamf Pro, the certificate status is revoked, however the certificate is not revoked in Venafi TPP.

Ensure the certificate authority that is used for the policy supports certificate revocation. You may see a certificate revocation status similar to the Venafi TPP screen shot below:

The Jamf PKI Proxy logs the following handshake error when a new connection is made from Jamf Pro: http: TLS handshake error from remote error: tls: unsupported extension

This is caused by a bug in Java 11 that does not fully support TLS 1.3 yet. The connection initially attempts to connect with TLS 1.3 and when it fails, Jamf Pro retries with TLS 1.2.

Jamf PKI Proxy Logging

You can view logging output of the Jamf PKI Proxy in the command line prompt from the host that the binary is running on.

You can also view the logging of the Jamf PKI Proxy in the system logs of the host that the Jamf PKI Proxy is running on. The logging will be logged under process jamf-pki-proxy.

Venafi TPP Logging

You can view logging or the history of a certificate in Venafi TPP. This will also log errors that occurred during certificate issuance or revocation.