PKI Certificates
- Use up/down arrow keys to navigate, Esc to collapse.
- Last UpdatedMay 20, 2025
- 11 minute read
The PKI Certificates settings allow you to manage the public key infrastructure needed to establish communication between computers and mobile devices and certificate authorities (CA). Jamf Pro requires a PKI that supports certificate-based authentication.
The PKI must include the following components:
A certificate authority (CA). You can use the built-in CA, a trusted third-party CA, or an external CA that supports SCEP.
A certificate authority (CA) certificate
A signing certificate
You can view the following information for a certificate:
Subject name
Serial number
Device name associated with the certificate
Username associated with certificate
CA configuration name
Date/time issued
Expiration date/time
Status (Active or Inactive)
State (Issued, Expiring, Expired, or Revoked)
Configuration profiles associated with a third-party certificate
When you are viewing a list of certificates, you can export the list to a .csv, .txt, or XML file.
Jamf Pro includes a built-in CA that issues client certificate identities that are used to enroll devices and to secure communication between Jamf Pro and enrolled devices. No configuration is necessary to use Jamf Pro's built-in CA for this purpose. The CA certificate and signing certificate are created and stored automatically.
During enrollment, devices communicate with the SCEP server to obtain the necessary certificates for device identification and secure communication with Jamf Pro.
If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using the built-in CA, you can enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.
The certificates issued from the built-in CA are not intended or available for use in additional workflows, such as VPN or Wi-Fi certificate-based authentication.
Downloading the Built-in CA Certificate
The downloaded built-in CA certificate (.pem) can be used to establish trust with other servers or services. For example, you can establish trust for IIS on Windows servers for HTTPS distribution points. For more information, see the Using IIS to Enable HTTPS Downloads on a Windows Server 2016 or 2019 File Share Distribution Point article.
The certificate issued by the built-in CA is also stored in the System keychain in Keychain Access on Mac computers as "JAMF Software JSS Built-in Certificate Authority".
Revoking a Certificate from the Built-in CA
Revoking a certificate stops communication between Jamf Pro and the computer or mobile device that the certificate was issued to. To restore the communication, re-enroll the computer or mobile device.
You can also view a record of revoked certificates in the jamfsoftwareserver.log file. For more information, see Jamf Pro Server Logs in this guide.
Creating a Built-in CA Certificate from a CSR
Depending on your environment, you may need to create a certificate from a certificate signing request (CSR). For example, you may need to do this if you have a clustered environment with Tomcat configured to work behind a load balancer.
The certificate created from the CSR is intended solely for purposes of communication between Jamf Pro and a managed computer or mobile device.
To create a certificate from a CSR, you need a request in Base64-encoded PEM format.
Creating a Backup of the Built-in CA Certificate
It is recommended that you create a password-protected backup of the CA certificate issued by the built-in CA and store it in a secure location.
Renewing the Built-in CA
If your organization has over 500 Mac computers enrolled, contact Jamf Support before renewing the built-in certificate authority.
Jamf recommends renewing the built-in CA before its expiration date. If the built-in CA is allowed to expire, some critical workflows will no longer function. For example, enrolling computers or mobile devices after the CA has expired prevents them from being managed.
A notification will display in Jamf Pro 360 days before the built-in CA is scheduled to expire. If the 360-day default setting for the expiration notification does not meet your needs, contact Jamf Support.
(On-premise environments only) Jamf recommends using a publicly trusted SSL/TLS certificate for Tomcat. If you are using a Tomcat SSL/TLS certificate issued from Jamf Pro's built-in certificate authority (CA), you must transition to a trusted certificate before renewing Jamf Pro's built-in CA, or you will lose MDM communication with enrolled iOS devices.
If you want to move from an SSL/TLS certificate issued from Jamf Pro's built-in CA to an SSL/TLS certificate issued from a third-party CA, see the Enabling SSL on Tomcat with a Public Certificate article.
If it is not possible for you to leverage a third-party external Tomcat SSL/TLS certificate in your environment, contact Jamf Support for assistance.
Jamf Pro 10.23.0 or later
After the built-in CA is renewed, its expiration date is extended by 10 years. All signing certificates issued by the built-in CA are automatically renewed.
If the built-in CA fails to renew, do not trigger the process again. If the expiration date is not extended or you notice issues with the renewed CA (e.g., Jamf Pro cannot communicate with managed computers or mobile devices), contact Jamf Support.
Further Considerations
- Renewing the built-in CA may affect integrations that use the built-in CA itself or certificates created from a CSR that was signed by the CA. These certificates may need to be re-issued. The affected integrations may include:
- HTTPS file share distribution point configuration
- Signing custom configuration profiles
- SCCM (System Center Configuration Manager) plug-in
- Automated Device Enrollment token from Apple Business Manager or Apple School Manager
- When Apple Education Support is enabled in your environment, renewing the built-in CA causes existing EDU profiles to be redistributed. This may increase network traffic.
After the built-in CA is renewed, all active certificates issued by the built-in CA will automatically renew. To view the expiration date of a specific certificate, navigate to , and then click the number displayed in the All column.
Automatic renewal of MDM profiles is controlled by the MDM Profile Settings in Jamf Pro. By default, after the built-in CA is renewed, the MDM profile and the device identity certificate will renew the next time an MDM command is issued or the next time the computer or mobile device checks in to Jamf Pro. For more information, see MDM Profile Settings in the Jamf Pro Documentation.
You can integrate Jamf Pro with trusted third-party CAs, including Active Directory Certificate Services (AD CS), DigiCert, or Venafi. These integrations allow an organization to have a CA that controls all of the identity certificates across all devices. Using a third-party CA will allow for unified reporting on all certificates for IT teams.
Some time may be required between certificate request and certificate delivery since those processes are handled asynchronously. After receiving a certificate request, Jamf Pro will distribute certificates to devices the next time they check in with Jamf Pro or when the next MDM command is sent and the devices are ready to accept the certificate.
- AD CS—
After communication with the PKI provider is successfully established, you can deploy certificates via configuration profiles using AD CS as the CA. You can also distribute in-house apps developed with the Jamf Certificate SDK to establish identities to support certificate-based authentication to perform Single Sign-On (SSO) or other actions specific to your environment. For more information, see the Integrating with Active Directory Certificate Services (AD CS) Using Jamf Pro technical paper.
- DigiCert—
DigiCert certificates are managed in Jamf Pro using the DigiCert PKI Platform service. After communication between Jamf Pro and the DigiCert PKI Platform is established, you can deploy certificates to computers or mobile devices. For more information, see the Integrating with DigiCert Using Jamf Pro technical paper.
- Venafi—
Venafi certificates are managed in Jamf Pro using Venafi Trust Protection Platform. After communication between Jamf Pro and Venafi Trust Protection Platform is established, you can deploy certificates to computers or mobile devices. For more information, see the Integrating with Venafi Using Jamf Pro technical paper.
Adding a Third-Party PKI Certificate Authority to the Jamf Pro Dashboard
Adding a third-party CA to the Jamf Pro Dashboard helps you monitor its status and progress. For example, you can determine the number of active, expiring, and inactive certificates that have been deployed. You can also view the percentage of active certificates in the the pie chart in the Jamf Pro Dashboard widget.
- In Jamf Pro, click Settings in the sidebar.
- In the Global section, click PKI certificates .
- Click the third-party CA you want to add to the Jamf Pro Dashboard.
- Select the Show in Jamf Pro Dashboard checkbox.
- Click Dashboard in the sidebar.
- Navigate to the PKI Certificate Authorities area of the Jamf Pro Dashboard and find the widget for the third-party CA you added.
- Click any item in the widget to view the details.
If you are using an organizational or third-party CA that supports SCEP, you can use it to issue management certificates to computers and mobile devices. When a device checks in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate.
If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using an external CA, you can use Jamf Pro to obtain management certificates from the SCEP server and install them on devices during enrollment. You can also enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.
Integrating an external CA with Jamf Pro involves the following steps:
Specifying SCEP parameters for the external CA
Uploading a signing certificate and CA certificate for the external CA
Jamf recommends performing changes to a SCEP-enabled external CA (i.e., the Use a SCEP-enabled external CA for computer and mobile device enrollment checkbox is selected under ) before enrolling computers and devices. If you make changes to a SCEP-enabled external CA after enrollment, you will need to re-enroll all enrolled computers and devices to restore trusted communication to the Jamf Pro server.
Specifying SCEP Parameters for an External CA
Uploading Signing and CA Certificates for an External CA
To integrate an external CA with Jamf Pro, you must provide the signing and CA certificates for the external CA. This is done by uploading a signing certificate keystore (.jks or .p12) that contains both certificates to Jamf Pro. For information about how to obtain and download a SCEP Proxy signing certificate from a Microsoft CA, see the following articles:
By default, Jamf Pro uses the signing and CA certificates for the Jamf Pro built-in CA. You must replace these certificates with the ones for the external CA when you initially set up the integration.
- In Jamf Pro, click Settings in the sidebar.
- In the Global section, click PKI certificates .
- Click the Management Certificate Template tab, and then click External CA.
- At the bottom of the External CA pane, click Change Signing and CA Certificates.
- Follow the onscreen instructions to upload the signing and CA certificates for the external CA.