Jamf Nation Community

@perrycj I get that, but I'm trying to use a cert from the JSS PKI itself. How would I get the cert and private key?

@PhillyPhoto Did you ever get this issue fixed? I am on the same situation on a Windows environment. I am using a private cert and I need to enable SSL.

JSS does not itself enable signing uploaded configuration profiles. If you upload an unsigned profile either the contents can be exposed or it can be shown as unverified in Profiles on the Mac. If you use an alternative signing certificate it again may end up being shown as unverified because it is not part of the chain of trust.

The inability for uploaded profiles to be easily signed by JSS by an approved administrator is (one of many) areas where JAMF are failing to make life easier for administrators.

JSS does not allow downloading the private key for its own signing certificate although it does allow downloading its own rootCA and private key. Arguably the rootCA for JSS is even more of a security risk than its signing certificate so why this is so seems completely illogical. As such you therefore cannot use the same JSS signing certificate externally to JSS to sign your profile before uploading it.

However since as detailed above it is possible to download the JSS rootCA and private key there is a workaround that duh works. ;) This is to use the JSS internal rootCA and private key to create your own signing certificate.

1. Download the JAMF JSS rootCA and private key via - Settings -> Global Management -> PKI Certificates -> Management Certificate Template -> Create CA Backup
2. Using the downloaded JSS self-signed rootCA and private key create your own code signing certificate, you can look at the built-in JSS signing cert as a guide, you cannot use the built-in code signing cert because JAMF do not give a way to obtain its matching private key
3. Having now created your own code signing cert and private key from the same JSS self signed rootCA as the built-in signing cert you can sign your profile before uploading it
4. Since your profile is now signed and is signed by a cert based on the same JSS self signed rootCA it will be marked as verified

Note: Apple's Keychain Access utility cannot create 'proper' signing certificates. I use the free XCA tool instead and created a template which marks the certificate as a 'proper' signing certificate.

Note: The built-in JSS signing certificate is not marked as a 'proper' signing certificate although obviously it does the job. The picture below shows the attribute a proper signing certificate would have.

@lockwojo , could you elaborate on Step 2 in the instructions you provided, or what you did with SCA? I was able to download the backup you mentioned in Step 1 (a .p12 file), but I'm unsure of what to do after that. I tried just importing it into Keychain (I don't think that's what I was supposed to do, but I didn't know what else to try) and it didn't show up as a signing option in Apple Configurator 2. I'm experimenting with XCA now, but was hoping you could provide some guidance.