See part 1, if you want general information on how to implement 802.1X device certificates with Jamf via the ACME protocol.
Our whole workflow does, what it should do, right? Not quite, the renewal process of the certificates is not configurable. But Jamf did just that with the release of 11.19.0 of Jamf Pro.
Renewal of certificates
Now, it is possible to set a renewal date relative to the expiry date!
As our certificates are valid for 90 days, we chose 30 days until expiry as a good starting point. It is long enough, so that vacations or business trips don’t end with an expired certificate.
Change the value from never to the desired interval e.g. 30 days.
Further thoughts about the whole ACME workflow
- A revocation procedure would be nice. This might be useful, when a device gets compromised or stolen. Sadly, step-ca does not support a certificate-revocation-list, but certificates can be revoked manually. See here for further details.
- Instead of deploying a completely new root-ca, maybe an existing one can be used as a trust anchor and our intermediate-ca can be signed by that? There is also documentation available for that case.
- Our iPads can be managed the same way, just a different webhook is needed.
- What about signing certificates for Android or Windows devices? They can’t use the device attestation protocol with Apple’s servers. Android devices may come into Jamf one day, our active directory for the Windows devices could be deprecated, once Microsoft chose to do that.