Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Obtaining a SCEP Proxy Signing Certificate from a Microsoft CA Using Terminal and Uploading the Certificate to Jamf Pro


This article explains how to obtain a signing certificate from a Microsoft CA using Terminal and upload the certificate to Jamf Pro. When a computer or mobile device that needs a certificate checks in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate. You can enable Jamf Pro to proxy this communication between a SCEP server and the devices in your environment so that devices do not need to access the SCEP server. With Jamf Pro enabled as SCEP Proxy, Jamf Pro communicates directly with the SCEP server to obtain certificates and install them on computers and mobile devices. For more information, see Communication of Jamf Pro as SCEP Proxy.


  • Jamf Pro 10.0.0 or later
  • Java Development Kit (JDK) with the keytool utility Note: If you do not have keytool, OpenSSL is an alternative. Contact your support representative for more information.
  • A Microsoft CA server


The procedure involves the following steps:

  1. Generating a Certificate Signing Request
  2. Downloading the Certificate from the Microsoft CA Server
  3. Uploading the Certificate to Jamf Pro

Generating a Certificate Signing Request

  1. On a computer with JDK, open Terminal.
  2. Use keytool to generate a certificate signing request by executing the following commands: Note: Modify the following command with your organization's information and desired certificate duration and security level.
    sudo keytool -genkey -alias scepca -keyalg RSA -keypass "changeit" -storepass "changeit" -dname "CN=, OU=Department, O=Organization, L=City, ST=State, C=Country" -keystore "/path/to/save/keystore.jks" -validity 365 -keysize 2048
    sudo keytool -certreq -keyalg RSA -alias scepca -file /path/to/save/certreq.csr -keystore /path/to/save/keystore.jks
    Note: If you are using Java version 8 or later, you will get a warning message during this process. This is expected and can be ignored.
  3. When prompted, enter a password for the keystore. By default, the password is “changeit”. Note: You can change the default password.
  4. Using a preferred text editor, open the certreq.csr file you generated.
  5. Copy the content of the certreq.csr file.

Downloading the Certificate from the Microsoft CA Server

  1. Navigate to your Microsoft CA server. For example: http://CAServerAddress/certsrv/
  2. Enter your username and password.
  3. On the Microsoft Active Directory Certificate Services homepage, click Request a certificate.
  4. Click advanced certificate request.
  5. Paste the .csr file content in the Saved Request field.
  6. Choose “User” from the Certificate Template pop-up menu.
  7. Click Submit. Note: If your server is not configured with the auto-approve option, have the submitted certificate request manually approved before clicking View the status of a pending certificate request and continuing to step 8.
  8. Select Base 64 encoded.
  9. Click Download certificate, and then rename the certificate as “user.cer”
  10. Click Download certificate chain to download the .p7b file.
  11. To extract certificates from the .p7b file, do the following: a. Double-click the file and enter your Keychain Access authentication. b. In Keychain Access, control-click the root certificate to export it as a .cer file. You can now rename and save it elsewhere. The recommended file name is “ca.cer”. c. Click Save.
  12. (Optional) If you have an intermediate or issuing CA certificate, export and rename those as well. The recommended file names are “int.cer” and “issuer.cer”, respectively.
  13. To import all certificates to the keystore, execute the following commands in this order:
    sudo keytool -import -alias root -keystore /path/to/saved/keystore.jks -trustcacerts -file /path/to/saved/ca.cer
    Note: If prompted to trust the certificate, enter “yes” to trust this certificate and all subsequent certificates.
    sudo keytool -import -alias intermed -keystore /path/to/saved/keystore.jks -trustcacerts -file /path/to/saved/int.cer
sudo keytool -import -alias scepca -keystore /path/to/saved/keystore.jks -trustcacerts -file /path/to/saved/user.cer

Uploading the Certificate to Jamf Pro

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click Global Management.
  4. Click PKI Certificates.
  5. Click Management Certificate Template.
  6. Click External CA.
  7. Click Signing and CA Certificate Assistant at the bottom of the page.
  8. Upload the keystore.jks file.
  9. Enter the keystore password, and then click Next. Note: By default, the keystore password is "changeit”. You can change the default password.
  10. From the pop-up menu, choose the user certificate you just uploaded, and then click Next.
  11. (Optional) If needed, upload a CA certificate for an additional CA.
  12. To save the settings, click Next.
  13. Click Done.

Additional Information

For additional information, see the PKI Certificates page in the Jamf Pro Administrator's Guide.

For additional information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

Like Comment