Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Obtaining a SCEP Proxy Signing Certificate from a Microsoft CA Using Command Prompt and Uploading the Certificate to Jamf Pro


This article explains how to obtain a signing certificate from a Microsoft CA using Command Prompt and upload the certificate to Jamf Pro. When a computer or mobile device that needs a certificate checks in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate. You can enable Jamf Pro to proxy this communication between a SCEP server and the devices in your environment so that devices do not need to access the SCEP server. With Jamf Pro enabled as SCEP Proxy, Jamf Pro communicates directly with the SCEP server to obtain certificates and install them on computers and mobile devices. For more information, see Communication of Jamf Pro as SCEP Proxy.


  • Jamf Pro 10.0.0 or later
  • Java Development Kit (JDK) with the keytool utility Note: If you do not have keytool, OpenSSL is an alternative. Contact your support representative for more information.
  • A Microsoft CA server


The procedure involves the following steps:

  1. Generating a Certificate Signing Request
  2. Downloading the Certificate from the Microsoft CA Server
  3. Uploading the Certificate to Jamf Pro

Generating a Certificate Signing Request

  1. On a computer with JDK, open Command Prompt.
  2. Use keytool to generate a certificate signing request by executing the following commands: Note: Modify the following command with your organization's information and desired certificate duration and security level.
    "C:\Program Files\Java\jdk1.8.0_XXX\bin\keytool.exe" -genkey -alias scepca -keyalg RSA -keypass "changeit" -storepass "changeit" -dname "CN=, OU=Department, O=Organization, L=City, ST=State, C=Country" -keystore "C:\path\to\save\keystore.jks" -validity 365 -keysize 2048
    "C:\Program Files\Java\jdk1.8.0_XXX\bin\keytool.exe" -certreq -keyalg RSA -alias scepca -file "C:\path\to\save\certreq.csr" -keystore "C:\path\to\keystore.jks"
    Note: If you are using Java version 8 or later, you will get a warning message during this process. This is expected and can be ignored.
  3. When prompted, enter a password for the keystore. By default, the password is “changeit”. Note: You can change the default password.
  4. Using Notepad, open the certreq.csr file you generated.
  5. Copy the content of the certreq.csr file.

Downloading the Certificate from the Microsoft CA Server

  1. Navigate to your Microsoft CA server. For example: http://CAServerAddress/certsrv/
  2. Enter your username and password.
  3. On the Microsoft Active Directory Certificate Services homepage, click Request a certificate.
  4. Click advanced certificate request.
  5. Paste the .csr file content in the Saved Request field.
  6. Choose “User” from the Certificate Template pop-up menu.
  7. Click Submit. Note: If your server is not configured with the auto-approve option, have the submitted certificate request manually approved before clicking View the status of a pending certificate request and continuing to step 8.
  8. Select Base 64 encoded.
  9. Click Download certificate, and then rename the certificate as “user.cer”.
  10. Click Download certificate chain to download the .p7b file.
  11. To extract certificates from the .p7b file, do the following: a. Double-click the bundle. By default, it opens in CertMgr. b. Expand the file, and then click Certificates. c. Right-click the root certificate and click All Tasks > Export to export it as a .cer file. This opens the Certificate Export Wizard. d. Click Next. e. Select Base-64 encoded X.509 (.CER). f. Click Next. g. Click Browse to specify a location and rename the file. It is recommended that you rename the root CA certificate to "ca.cer". h. Click Next. i. Click Finish. This exports the file. j. Complete steps c-i as needed for the intermediate or issuing CA certificates. It is recommended that you rename the intermediate and issuing CA certificates to “int.cer” and “issuer.cer”, respectively.
  12. To import all certificates to the keystore, execute the following commands in this order:
    “C:\Program Files\Java\jdk1.8.0_XXX\bin\keytool.exe” -import -alias root -keystore "C:\path\to\keystore.jks" -trustcacerts -file “C:\path\to\saved\ca.cer”
    Note: If prompted to trust the certificate, enter "yes" to trust this certificate and all subsequent certificates.
    “C:\Program Files\Java\jdk1.8.0_XXX\bin\keytool.exe” -import -alias intermed -keystore "C:\path\to\keystore.jks" -trustcacerts -file “C:\path\to\saved\int.cer”
    “C:\Program Files\Java\jdk1.8.0_XXX\bin\keytool.exe” -import -alias scepca -keystore "C:\path\to\keystore.jks" -trustcacerts -file “C:\path\to\saved\user.cer”

Uploading the Certificate to Jamf Pro

  1. Log in to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click Global Management.
  4. Click PKI Certificates.
  5. Click Management Certificate Template.
  6. Click External CA.
  7. Click Signing and CA Certificate Assistant at the bottom of the page.
  8. Upload the keystore.jks file.
  9. Enter the keystore password, and then click Next. Note: By default, the keystore password is "changeit”. You can change the default password.
  10. From the pop-up menu, choose the user certificate you just uploaded, and then click Next.
  11. (Optional) If needed, upload a CA certificate for an additional CA.
  12. To save the settings, click Next.
  13. Click Done.

Additional Information

For additional information, see the PKI Certificates page in the Jamf Pro Administrator's Guide.

For additional information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

Like Comment