Does Step 3 in the KB for GSX help? https://jamfnation.jamfsoftware.com/article.html?id=26

It looks like for a CSR that is not generated in the JSS for GSX, directions for generating the the key-pair are shown in Step 3

Thanks Tom,

Did not see those instructions, but it won't work anyway, as when I dragged the cert into Keychain Access, the private key is missing.

Guess I gotta generate a new CSR and deal with Apple again.

I was having the same issue, I contacted GSX Web Support and was told
"The private key would have been created on your side when you created the CSR file.

If you do not have the private key you can create a new CSR and a new Private Key, and I will revoke the old Certificates and create new PEM files and send them back to you."

What we ended up doing was create a .p12 file from our privatekey submitted to GSX Web Support and the Applecare..pem file received back. You will need the password used to create the privatekey.

Instructions are located at https://www.tbs-certificates.co.uk/FAQ/en/288.html

I now have connection to GSX and have downloaded purchasing information on over 250 devices to verify.

Ok, so I generated a new CSR..this time from the JSS, sent it to apple and this time they’re telling me the following:

"Certificate request is INVALID! The following errors must be addressed before submitting:
Organization is required
Invalid signature algorithm detected. Signature algorithm must use SHA-2 (Note: SHA-1 and MD5 are too weak and not supported).”

Ugh….

matt.smalley posted an openssl command that could be used to create the p12 file at https://jamfnation.jamfsoftware.com/discussion.html?id=16640.

If that works for you, you could avoid generating another CSR.

Thanks fellas.

I just found the initial CSR and private key that I generated way back in May, and ultimately sent to Apple.

If I sent them both files, I find it ridiculous they sent me a cert back that didn't contain the key.

@mradams Thanks so much for info, we finally got ours working with your instructions. I to had contacted Apple again and they wanted to create new certs and what not.. Thank goodness I found this Jamf article before I had to redo all of that. Thanks again!

ok, so I've managed to get the new cert from Apple and merged it with the private key created with the CSR. It's uploaded into JSS successfully, but when I test it, it fails. See below.

Any ideas? I've verified the sold-to account is correct.

Verify the .pem received from Apple has the correct sold to account number in its name.

It does, yet still fails.

we go this sorted. The CN entry in the CSR had a typo. Once fixed and new cert created by Apple, all is well.

Unreal. For a company based on simplicity, Apple sure made GSX access a pain in the butt.