A quick topic which was on my todo list since a while as well: integrating Digicert PKI in Jamf Pro. For this one I got the help from my colleague Jeff, aka FlyinDutchSysAdmin, who paved the way providing a nice walkthrough and screenshots – including some gotcha’s to be aware of. Thanks Jeff!
First of all, what do we need?
- Jamf Pro 10.16 or later
- An account with Digicert (previously Symatec). For this testing purpose I registered for a free trial at https://www.websecurity.symantec.com/pki/managed-pki-service/free-trial
This walkthrough will be using the Digicert Testdrive trial. A full subscription might change some terminology or naming in the Digicert GUI but should not impact the ability to follow the walkthrough to integrate successfully in Jamf Pro.
Also, we’ll only be describing the integration and deployment of certificates in general. Specific configuration of the certificate requirements, subject to what they will be used for, is outside the scope of this post.
Setting up the Digicert PKI Manager
In case you don’t have an active Digicert subscription yet, register for a free Testdrive here.
NOTE: for ease of registration use Google Chrome. Safari doesn't really play nice in certain of the below steps!
Click on “get started” to start the registration process…
Fill in you details…
and you should get a Certificate pick-up code upon completing the registration process.
NOTE: Do not loose this code as you will need it for the rest of the process. If you forget to copy it, you will have to contact Digicert Support.
After signing up successfully, you should receive an email with a long link to get your certificate. This certificate will be needed to access the Digicert PKI Manager.
Click on the link and follow the steps to install the PKI client. Again, use Google Chrome for an easy ride!
Enter the code you copied above:
Install and enable the browser extension:
Finally, install the certificate in your keychain…
… for which you will need to create a pin. This pin will be the keychain passcode, which you will need each time you want to access the Digicert PKI manager.
Authenticate to create the Digicert (or actually the Symantec) keychain item, in which your certificate will be stored.
Once done you should have a similar certificate in your keychain:
Now, let’s go the Digicert PKI Manager. Where you will be prompted to unlock the Digicert kechain/certificate which we just installed:
To finally get access to the PKI Manager:
That’s it for the initial setup of the Digicert PKI Manager, next the integration in Jamf Pro !
Integration in Jamf Pro
Before we can integrate Digicert in Jamf Pro, we need to create a certificate profile in Digicert PKI Manager.
NOTE: There are 2 compatible ways of deploying certificates via Digicert in Jamf Pro. 1) via the Certificate payload or 2) via SCEP. Depending which strategy you prefer, the type of profile you select in Digicert is important. There are 2 profiles templates to choose from: - MDM - MDM (Web Service Client) In case you want to deploy certificates over SCEP, choose the MDM. type as the Web Service Client variant will only allow deployment via the certificate payload in Jamf Pro (using Digicert API instead of SCEP).
Click on the action gear at the bottom and select ‘Manage certificate profiles’:
Click on “Add certificate profile”… production mode…
I initially went for the Web Service Client which did not allow me to select the Dynamic challenge type ‘Digicert’ later in Jamf Pro. I’ll come back to that below. So for now, let’s select the pure MDM template:
Give the profile a name and check the advanced options if needed…
Save the profile and note the SCEP URL. We’ll need that later.
Next we go to the Jamf Pro – PKI Certificate settings and click ‘Configure New Certificate Authority’:
Select Digicert and hit Next…
! Copy the generated CSR… hit next…
Jamf Pro will now tell you to get an RA Certificate… keep this window open!
… and go back to the Digicert PKI Manager and click on ‘Get an RA Certificate’:
Past the copied CSR from Jamf Pro… give the certificate a name and hit next:
Digicert wil generate your RA certificate, click on download…
And go back to Jamf Pro:
Hit next… now you will need to copy the RA in the provided text box.
NOTE: to be able to do this, you need to open the downloaded RA cert in a text editor and copy the certificate text, including -- BEGIN CERTIFICATE -- and -- END CERTIFICATE --
Hit next, and choose if you want to enable the automatic certificate revocation (recommended).
Jamf Pro article: Depending on how you configured the PKI Certificates settings when you added DigiCert as a PKI Provider, you can automatically revoke certificates via a configuration profile's scope. When devices are no longer part of the scope, the certificate is automatically revoked from the device.
Deploying Digicert certificates via Jamf Pro
Now that we successfully integrated Digicert in Jamf Pro, let’s have a look at how to deploy certificates to our client devices.
This is were I initially got in trouble, as I wanted to test SCEP first. Because I selected the MDM – Web Service Client template in Digicert I did not enable SCEP as deployment option. Hence I didn’t get a Dynamic – Digicert option in the list of challenge types:
So I did the integration again, choosing MDM as certificate profile template.
To configure SCEP you’ll need the SCEP URL …
… and the RA Certificate Name:
Because I changed the Digicert profile to MDM I can now select ‘Dynamic – Digicert’ as a challenge type.
Select the certificate profile and choose a SEAT ID. Also, don’t forget to put the Key Size to 2048.
NOTE: It is recommended that the Seat ID used for SCEP profiles is the same as the CN used in the Subject field.
Important: Inventory information for a user must be complete to properly issue a DigiCert certificate to a device. If there is incomplete data in inventory information for a user in Jamf Pro, DigiCert certificates will be issued with "N/A" recorded for the missing attributes.
Scope it to your devices and done!
More info in the Jamf KB here.
Now, so far for deploying Digicert certificates over SCEP. Now let’s have a look at how to do so via the Certificate payload and how to deploy your Digicert Root CA if needed. This is basically straight forward!
Remember: using the MDM certificate profile template in Digicert PKI Manager allows both the use of the certificate payload as SCEP. The MDM (Web Service Client) profile template only allows the use of the certificate payload
Create a new config profile and add the Certificate payload. Select Digicert as certificate option:
Select you Digicert profile…
… and add the applicable attribute mappings:
AGAIN: Inventory information for a user must be complete to properly issue a DigiCert certificate to a device. If there is incomplete data in inventory information for a user in Jamf Pro, DigiCert certificates will be issued with "N/A" recorded for the missing attributes.
Scope it to you devices … and done!
Now, there is one more thing to take care of: our Root CA. Depending how you will be using the certificates, you might also need to deploy the ROOT CA. Using the the network payload in Jamf Pro allows you to trust deployed certificates anyway, but depending other use cases you will need to deploy the ROOT CA as well. If not, the deployed certificates will show up like this:
So how to get our Digicert Root CA?
For this we need to go back to the Digicert PKI Manager (obviously) and click on ‘Manage CAs’:
Download your Root CA and upload it in the Certificate payload of your configuration profile:
Now, your certificates will be trusted on your client devices:
That’s it! As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!
TTG and FlyingDutchSysAdmin