JSS Code signing cert and private key

I do like the idea of a tool to allow custom profiles to be uploaded and signed by Jamf Pro, but for now, there is a work around. It is possible to sign certificates with our built-in CA in Jamf Pro. This will result in profiles showing as green Verified once they are installed, since the same CA is used as our native profile creation interface.

To do this, create a Certificate Signing Request and Private Key on any old Mac:

openssl req -out ~/Desktop/CSR.csr -new -newkey rsa:2048 -nodes -keyout ~/Desktop/privateKey.key

Fill out the information it will prompt you for. Most important is the Common Name field. Whatever you type here will be what shows in the profile next to the green Verified status.

Now, copy every bit of text from the CSR, then open your Jamf Pro web interface and navigate to the Settings gear, then to Global Management, then PKI Certificates, then Create Certificate From CSR. Set the Certificate Type to Web Server Certificate, and then paste the contents from the CSR into the CSR box. Press Create, and a new PEM cert will be saved to your Downloads folder. Move this cert to the Desktop for consistency sake.

Now we can sign the profile with the new cert and private key by using the following:

openssl smime -sign -signer ~/Desktop/Name_of_new_cert_from_JSS.pem -inkey ~/Desktop/privateKey.key -nodetach -outform der -in /path/to/your/unsigned/profile.mobileconfig -out /path/to/save_signed.mobileconfig

Now, we can upload the new, signed configuration profile into Jamf Pro. We should see the Read Only lock message when editing the profile in Jamf Pro, which guarantees Jamf will not overwrite our modifications we just made.

All we need to do is just scope this profile out to a test machine. Once it has been installed, we can view the profile on the machine under System Preferences, Profiles. We will see that the profile is Verified from Jamf Pro, and the Signed section will have the name that we chose for the Common Name of the certificate, making it easy to see that this was a custom profile.

Hope this helps!

Thanks @dan.kubley I will look in to that.

By the way, JAMF provide an official simple method to download both the JSS CA and its private key, if they consider it acceptable to download that why on earth not the code signing cert and key?

Also I believe that strictly speaking code signing certs are supposed to have an extra flag which differentiates them from normal web server certs, it's extended key usage 'Code Signing'.

Hmm, I could probably since I have the JSS CA and key create my own code signing cert using your instructions. Ah, it seems the JSS code signing cert does not have this flag, however Apple Profile Manager does have this flag on its code signing cert. Perhaps this itself is a 'bug'.

For everyone, a possibly simpler approach now that one can get the JSS CA and private key is to import those in to XCA. XCA is a free JAVA GUI frontend to OpenSSL and makes managing and creating certs much, much easier. For example it is virtually impossible to do Subject Alternative Names via the command line but easy in XCA. With the CA and key imported in to XCA and after creating a certificate template for code signing (marking it with extension attribute Code Signing) you can then create a cert and private key pair that is a proper code signing cert.

See http://hohnstaedt.de/xca/

Thank you @dan.kubley !! I was really struggling to get a '"Verified" signed custom PPPC configuration profile onto my macs, and your solution worked perfectly for me. Cheers!

Thank you @dan.kubley ! This is very helpful and proved very educational for me.