Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Creating a Signing Certificate using Jamf Pro's Built-in Certificate Authority


This article explains how to create a signing certificate using Jamf Pro's built-in Certificate Authority (CA), which you can then use to sign custom configuration profiles and packages.

Creating a signing certificate generated by the Jamf Pro built-in CA provides the following benefits:

  • Marks the custom configuration profiles and packages as trusted since managed devices have established trust with the Jamf Pro CA
  • Ensures that the custom configuration profiles or packages display the same organization name as other configuration profiles created in Jamf Pro


Complete the following steps to create a signing certificate with the Jamf Pro CA:

  1. Create a certificate signing request (CSR) on your computer. a. Open Keychain Access. b. In the menu bar, navigate to Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority. c. Complete the information in Certificate Assistant window. d. (Optional) To have your organization's name display when users view configuration profiles locally, enter your organization's name in the Common Name field. e. Click Continue. f. Specify a file name and location, and then click Save.
  2. Open the CSR file in a text editor.
  3. Copy all the file's text to the Clipboard.
  4. In Jamf Pro, navigate to Settings > Global Management > PKI Certificates.
  5. In the Management Certificate Template pane, click Create Certificate from CSR.
  6. Paste the CSR text into the CSR field, and then select "Web Server Certificate" from the Certificate Type pop-up menu.
  7. Click Create, and then specify a location to save the CSR.
  8. On your computer, double-click the certificate to install it to your login keychain. Note: Once the certificate is installed in the login keychain, applications such as Apple Configurator can sign configuration profiles using that certificate. Alternatively, the native security macOS command line utility can be used instead. For more information, see man security in Terminal, or view the following Apple Documentation:
  9. Under the Trust menu, choose "Always Trust" from the When using this certificate pop-up menu.

Additional Information

Like Comment