Using Connector for SCEP with Jamf Pro
You can use Amazon Private CA as an external certificate authority (CA) with Jamf Pro mobile device management (MDM) solution. This guide provides instructions on how to configure Jamf Pro as a SCEP Proxy after creating an Amazon Private Certificate Authority Connector for SCEP.
Jamf Pro requirements
Your implementation of Jamf Pro must meet the following requirements.
You must use Jamf Pro 10.0.0 or later.
You must enable the Enable certificate-based authentication setting in Jamf Pro. You can find details on this setting on the Jamf Pro Security Settings
page in the Jamf Pro documentation.
Prerequisites
To use Connector for SCEP with Jamf Pro, you must first create a private CA and a general-purpose connector for SCEP. For instructions, see Setting up Connector for SCEP.
Configure Amazon Private CA as an external CA in Jamf Pro
After you create a connector for SCEP, you must set Amazon Private CA as an external CA in Jamf Pro. You can set Amazon Private CA as a global, external CA. Or you can use a Jamf Pro configuration profile to issue different certificates from Amazon Private CA for different use cases, such as issuing certificates to subset of devices in your organization. Guidance on implementing Jamf Pro configuration profiles is beyond the scope of this document.
To configure Amazon Private CA as an external CA in Jamf Pro
In the Jamf Pro console, go to the PKI certificates settings page by going to Settings > Global > PKI certificates.
Select the Management Certificate Template tab.
Select External CA.
Select Edit.
(Optional) Select Enable Jamf Pro as SCEP Proxy for configuration profiles. You can use Jamf Pro configuration profiles to issue different certificates tailored to specific use-cases. For guidance on how to use configuration profiles in Jamf Pro, see Enabling Jamf Pro as SCEP Proxy for Configuration Profiles
in the Jamf Pro documentation. Select Use a SCEP-enabled external CA for computer and mobile device enrollment.
(Optional) Select Use Jamf Pro as SCEP Proxy for computer and mobile device enrollment. If you experience profile installation failures, see Troubleshoot profile installation failures.
Copy and paste the Connector for SCEP public SCEP URL from the connector's details to the URL field in Jamf Pro. To view a connector's details, choose the connector from the Connectors for SCEP
list. Alternatively, you can get the URL by calling GetConnector and copy the Endpoint
value from the response.(Optional) Enter the name of the instance in the Name field. For example, you can name it Amazon Private CA.
Select Static for the challenge type.
Copy your connector's challenge password and paste it into the Challenge field. To view your connector's challenge passwords, navigate to your connector's details page in the Amazon console and select the View password button. Alternatively, you can get a connector's challenge password by calling GetChallengePassword and copy the
Password
value from the response.Paste the challenge password into the Verify Challenge field.
Choose a Key Size. We recommend a key size of 2048 or higher.
(Optional) Select Use as digital signature. Select this for authentication purposes to grant devices secure access to resources like Wi-Fi and VPN.
(Optional) Select Use for key encipherment.
(Optional) Enter a hex string in the Fingerprint field. For instructions on how to create a fingerprint of your private CA, see (Optional) Add a CA fingerprint.
Select Save.
Create and upload a profile signing certificate
To use Connector for SCEP with Jamf Pro, you must provide the signing and CA certificates for the private CA that's associated to your connector. You can do this by uploading a profile signing certificate keystore to Jamf Pro that contains both certificates. You need to generate a certificate signing request (CSR) using your internal processes and get it signed by Amazon Private Certificate Authority. The following instructions explain how to create a certificate keystore and upload it into Jamf Pro. The following example uses OpenSSL, but you can generate a certificate signing request using your preferred method.
Using OpenSSL, generate a private key by running the following command:
openssl genrsa -out local.key 2048
Generate a certificate signing request (CSR):
openssl req -new -key local.key -sha512 -out local.csr -subj "/CN=MySigningCertificate/O=MyOrganization" -addext keyUsage=critical,digitalSignature,nonRepudiation
Using the Amazon CLI, issue the signing certificate using the CSR you generated in step two. Run the following command and note the certificate ARN in the response:
aws acm-pca issue-certificate --certificate-authority-arn <SAME CA AS USED ABOVE, SO IT’S TRUSTED> --csr fileb://local.csr --signing-algorithm SHA512WITHRSA --validity Value=
365
,Type=DAYS
Get the signing certificate by running the following command using the certificate ARN from step 3:
aws acm-pca get-certificate --certificate-authority-arn <SAME CA AS USED ABOVE, SO IT’S TRUSTED> --certificate-arn <ARN OF NEW CERTIFICATE> | jq -r '.Certificate' >local.crt
Get the CA certificate by running the following command:
aws acm-pca get-certificate-authority-certificate --certificate-authority-arn <SAME CA AS USED ABOVE, SO IT’S TRUSTED> | jq -r '.Certificate' > ca.crt
Using OpenSSL, output the signing certificate keystore in p12 format. You'll use the
crt
files that you generated during steps four and five. Run the following command:openssl pkcs12 -export -in local.crt -inkey local.key -certfile ca.crt -name "CA Chain" -out local.p12
When prompted, enter an export password. This password is your keystore password, and you'll need to use it later.
In Jamf Pro, navigate to the Management Certificate Template and go to the External CA pane.
At the bottom of the External CA pane, select Change Signing and CA Certificates.
Follow the onscreen instructions to upload the signing and CA certificates for the external CA.
(Optional) Add a CA fingerprint
Adding a CA fingerprint allows managed devices to verify the CA and only request certificates from the CA.
Obtain the private CA certificate from either Amazon Private CA console or by using the GetCertificateAuthorityCertificate. Save it as
ca.pem
file.In OpenSSL, run the following command:
openssl x509 -in ca.pem -sha256 -fingerprint
Copy and paste the output into the Fingerprint field referred to in the preceding procedure.
(Optional) Install certificate during user-initiated enrollment
To install your connector's private CA certificate to a client or device during user-initiated enrollment, configure your Jamf Pro user-initiated enrollment settings. This helps Jamf Pro to install your Amazon Private CA certificates to the client or device when they request a certificate. It's your responsibility to test your configuration to make sure that it's compatible with your Connector for SCEP implementation. For information about Jamf Pro user-initiated enrollment settings, see User-Initiated Enrollment Settings
Troubleshoot profile installation failures
If you're experiencing profile installation failures after enabling Use Jamf Pro as SCEP Proxy for computer and mobile device enrollment, try the following.
Error message | Mitigation |
---|---|
|
If you receive this error message while trying to enroll, retry the enrollment. It can take several tries before enrollment succeeds. |
|
Your challenge password might be misconfigured. Verify that the challenge password in Jamf Pro matches your connector’s challenge password. |