JSS Code signing cert and private key

New Contributor III

The JSS has its own built-in CA and also has its own built-in code signing certificate to sign the Configuration Profiles you create in JSS. This all works - as one would expect. However it is possible to upload Configuration Profiles to the JSS that you may have created elsewhere e.g. Apple Configurator or even by hand.

It is possible to sign these using in theory any cert but it clearly makes sense to sign it with the same code signing cert that the JSS is using so that everything is equally trusted.

In fact see this older thread https://www.jamf.com/jamf-nation/discussions/20436/jss-signing-certificate-private-key it raises pretty much the same issue and did not get a successful reply.

I too would like to be able to sign my own custom Configuration Profiles, I can download the JSS Code Signing Cert but I don't get the private key - which is correct. I do however as the admin I have full local access to the JSS server and would therefore be able to access any file and simply need to know which and where it is. I am running JSS 10.4.1 on Ubuntu 16.04.

Whilst I have been able to sign my custom configuration profile using an alternative cert it ends up being shown as Unverified, whereas those signed by the built-in one are of course Verified.

If Jamf regard it as too secret then why not build in a tool to let admins optionally sign uploaded Configuration Profiles?


New Contributor III
New Contributor III

I do like the idea of a tool to allow custom profiles to be uploaded and signed by Jamf Pro, but for now, there is a work around. It is possible to sign certificates with our built-in CA in Jamf Pro. This will result in profiles showing as green Verified once they are installed, since the same CA is used as our native profile creation interface.

To do this, create a Certificate Signing Request and Private Key on any old Mac:

openssl req -out ~/Desktop/CSR.csr -new -newkey rsa:2048 -nodes -keyout ~/Desktop/privateKey.key

Fill out the information it will prompt you for. Most important is the Common Name field. Whatever you type here will be what shows in the profile next to the green Verified status.

Now, copy every bit of text from the CSR, then open your Jamf Pro web interface and navigate to the Settings gear, then to Global Management, then PKI Certificates, then Create Certificate From CSR. Set the Certificate Type to Web Server Certificate, and then paste the contents from the CSR into the CSR box. Press Create, and a new PEM cert will be saved to your Downloads folder. Move this cert to the Desktop for consistency sake.

Now we can sign the profile with the new cert and private key by using the following:

openssl smime -sign -signer ~/Desktop/Name_of_new_cert_from_JSS.pem -inkey ~/Desktop/privateKey.key -nodetach -outform der -in /path/to/your/unsigned/profile.mobileconfig -out /path/to/save_signed.mobileconfig

Now, we can upload the new, signed configuration profile into Jamf Pro. We should see the Read Only lock message when editing the profile in Jamf Pro, which guarantees Jamf will not overwrite our modifications we just made.

All we need to do is just scope this profile out to a test machine. Once it has been installed, we can view the profile on the machine under System Preferences, Profiles. We will see that the profile is Verified from Jamf Pro, and the Signed section will have the name that we chose for the Common Name of the certificate, making it easy to see that this was a custom profile.

Hope this helps!

New Contributor III

Thanks @dan.kubley I will look in to that.

By the way, JAMF provide an official simple method to download both the JSS CA and its private key, if they consider it acceptable to download that why on earth not the code signing cert and key?

Also I believe that strictly speaking code signing certs are supposed to have an extra flag which differentiates them from normal web server certs, it's extended key usage 'Code Signing'.


Hmm, I could probably since I have the JSS CA and key create my own code signing cert using your instructions. Ah, it seems the JSS code signing cert does not have this flag, however Apple Profile Manager does have this flag on its code signing cert. Perhaps this itself is a 'bug'.

For everyone, a possibly simpler approach now that one can get the JSS CA and private key is to import those in to XCA. XCA is a free JAVA GUI frontend to OpenSSL and makes managing and creating certs much, much easier. For example it is virtually impossible to do Subject Alternative Names via the command line but easy in XCA. With the CA and key imported in to XCA and after creating a certificate template for code signing (marking it with extension attribute Code Signing) you can then create a cert and private key pair that is a proper code signing cert.

See http://hohnstaedt.de/xca/

New Contributor III

Thank you @dan.kubley !! I was really struggling to get a '"Verified" signed custom PPPC configuration profile onto my macs, and your solution worked perfectly for me. Cheers!

New Contributor

Thank you @dan.kubley ! This is very helpful and proved very educational for me.