On premise PKI with Unique Cert Per machine question


Good morning,

So I'm not that familiar with certs, but we are setting up ISE system, and we need each machine to have its own trusted cert from our PKI.  While i use JAMF I'm not that familiar with Certs. I have read trough the below, but still not sure how to push out a Unique trusted cert to each MAC. I have done things with JAMFs internal CA for the mac but never an PKI.


Any Documentation or resources?




I did find the below. Would Setting up AD CS allow us to generate a Unique Cert Per machine?




Contributor III

Yes AD CS will do what you need. Once it's set up, you'll use a config profile with something like CN=$SERIALNUMBER.domain.com in the subject field to help identify devices connecting through ISE.


You can also use Jamf Pro as SCEP proxy if you already have NDES running somewhere on your network.

Hi @merps 


So you are saying if i have  SCEP proxy and NDES then i don't need AD CS? 

And in the SUBJECT in the Configuration profile for SCEP it can take variables? The Cert subject name is going to be Unique and the hostname of each machine. 


I also reached out to JAMF Support and got the below answer, wanted to get your thoughts. 


To start, below is the link to the documentation on integrating with Cisco ISE with Jamf Pro: https://docs.jamf.com/10.41.0/jamf-pro/documentation/Network_Integration.html However, for what we're trying to achieve, the integration with Cisco ISE will not be necessary. We can achieve this by ensuring we have everything configured as needed on the Cisco ISE side, and then choosing the workflow from the flowchart below: https://docs.jamf.com/technical-papers/jamf-pro/8021x/10.0.0/Overview.html We certainly can use variables for individual certificates on the Mac side using SCEP: https://docs.jamf.com/technical-papers/jamf-pro/scep-proxy/10.0.0/Overview.html