I would consider also getting a wildcard cert if you can for your domain...it costs a bit more but I have the flexibility of just "copying the keystore file" and updating my server.xml on all my Tomcat instances that way.

That should really be all you need to do. As long as you include all of the SANs you should be in good shape.

i would also put in a call to jamf support just to make sure. something about possibly having to re-enroll every device just scares the crap out of me.

@jchurch always a valid step.... i'm with you on that. I'm never afraid to call them for a sanity check...even if there is 1% uncertainty. I realized early on that this is better than having a sleepless night wondering if something I'm about to do is going to make my life hell or cause me to get yelled at. That is why you pay for support.

Security best practice would say to not use the same private key on the servers but instead to do a different one. You might also want to consider using Let's Encrypt, which is free if cost has been the issue holding you back. We use a wildcard cert with separately issued keys from Digicert.

@john_wetter is very right. The way we did it was honestly out of convenience sake, but I'll note that I'm not the only one doing that here. That also being said, I am likely to learn from this and may go through the joy of doing different private key/public key pairs at the right time. Cost isn't the issue...we can generate unlimited wildcard certs from digicert for our domain. We did use the highest encryption they would offer us when doing that, but I am going to learn from this and consider doing it differently as the goal is to increase security not decrease it.

Source for my change of position: Our new network security guy...he said we should be okay as it would be difficult to compromise that cert but that if we did, we would have it compromised on multiple servers.