As a Mac admin, you may come across a time that you need to deliver a package during a PreStage enrollment. To make this possible, the package must be signed or the installation will fail. In this guide we will walk through creating a signed certificate that can be used to sign a package with Jamf’s packaging tool ‘Composer’.

Note: If you already have an Apple Developer Cert, you use that to sign your package and you may not need to go through this guide for creating a signed certificate.

Creating a Signed Certificate on a Mac

1. On your Mac, open Keychain Access
2. Go to the Keychain Access menu, choose Certificate Assistant, then choose Request a Certificate From a Certificate Authority...

3. In the Certificate Information window, enter an organizational email address in the User Email Address field
4. In the Common Name field, enter your organization’s name
5. Select Saved to disk
6. Click Continue

Note: Some admins have reported that changing the default Common Name in the Certificate Information window caused an issue that makes the certificate appear to be expired when looking at the signed package created with Composer. See the following post for more information: https://macadmins.slack.com/archives/C04FRRN3281/p1674140186594089

7. Choose a destination to save to, then click Save
8. In the Conclusion message, click Done. A private key is automatically generated and saved in your login keychain.

9. Local the file that you created, control-click it, then choose to Open With TextEdit

10. Copy the entire content of the file. The information in our CSR will be used to supply Jamf Pro information needed to create our certificate.

11. Now, in Jamf Pro navigate to Jamf Pro Server > Settings > Global > PKI Certificates

12. Click Management Certificate Template, then the Create Certificate from CSR button

13. Paste in your CSR value into the CSR field, change the Certificate Type to Web Server Certificate, then click Create

14. The signed certificate will be downloaded to your browser’s default download location. Once you have the downloaded signed certificate you can close your browser.
15. In Finder, find the location of the newly signed certificate. Open the .pem file

16. If prompted to add the certificate to a keychain, select your login keychain, then click Add
17. In the Keychain Access toolbar at the top, click My Certificates. To confirm the certificate you just imported is displayed with the private key, select the certificate and click the disclosure triangle. At this point your Mac is the only place where your private key is stored.

18. If your certificate does not show trusted, double click the certificate, click the disclosure triangle next to Trust, click the menu next to When using this certificate and choose to Always Trust

That’s all there is too it! Now you have a certificate that can be used to sign the packages you create! Make sure you make note of the expiration date. Once this certificate expires you may have trouble continuing to deploy your package in a PreStage enrollment as it is no longer a valid cert.

Thanks for checking out this guide!