As a Mac admin, you may come across a time that you need to deliver a package during a PreStage enrollment. To make this possible, the package must be signed or the installation will fail. In this guide we will walk through creating a signed certificate that can be used to sign a package with Jamf’s packaging tool ‘Composer’.
Note: If you already have an Apple Developer Cert, you use that to sign your package and you may not need to go through this guide for creating a signed certificate.
Creating a Signed Certificate on a Mac
- On your Mac, open
- Go to the Keychain Access menu, choose Certificate Assistant, then choose
Request a Certificate From a Certificate Authority...
- In the Certificate Information window, enter an organizational email address in the User Email Address field
- In the Common Name field, enter your organization’s name
Saved to disk
Note: Some admins have reported that changing the default Common Name in the Certificate Information window caused an issue that makes the certificate appear to be expired when looking at the signed package created with Composer. See the following post for more information: https://macadmins.slack.com/archives/C04FRRN3281/p1674140186594089
- Choose a destination to save to, then click
- In the Conclusion message, click
Done. A private key is automatically generated and saved in your login keychain.
- Local the file that you created, control-click it, then choose to
Open With TextEdit
- Copy the entire content of the file. The information in our CSR will be used to supply Jamf Pro information needed to create our certificate.
- Now, in Jamf Pro navigate to
Jamf Pro Server > Settings > Global > PKI Certificates
Management Certificate Template, then the
Create Certificate from CSRbutton
- Paste in your CSR value into the CSR field, change the
Certificate Typeto Web Server Certificate, then click
- The signed certificate will be downloaded to your browser’s default download location. Once you have the downloaded signed certificate you can close your browser.
- In Finder, find the location of the newly signed certificate. Open the .pem file
- If prompted to add the certificate to a keychain, select your login keychain, then click
- In the Keychain Access toolbar at the top, click
My Certificates. To confirm the certificate you just imported is displayed with the private key, select the certificate and click the disclosure triangle. At this point your Mac is the only place where your private key is stored.
- If your certificate does not show trusted, double click the certificate, click the disclosure triangle next to
Trust, click the menu next to
When using this certificateand choose to
That’s all there is too it! Now you have a certificate that can be used to sign the packages you create! Make sure you make note of the expiration date. Once this certificate expires you may have trouble continuing to deploy your package in a PreStage enrollment as it is no longer a valid cert.
Thanks for checking out this guide!