Skip to main content
Question

Renewing Jamf Pro CA certificate chain

  • August 10, 2020
  • 4 replies
  • 71 views
J
Forum|alt.badge.img+14

Hello,

Has anyone who upgraded to 10.23.0 gone through the process of renewing the Jamf Pro CA certificate? Ours expires in 2026 but the certificates issued by the CA have a 5 year validity period and are expiring next year.

Based on the Jamf KB article it's as simple as clicking 'Renew' and the devices will automatically be issued with the new certificate via MDM push, but does this automatically update all of the configuration profiles on a Mac/iPad with the new JSS Built-in Signing Certificate used to sign the profiles?

Thanks in advance,
Justin.

    4 replies

    J
    Forum|alt.badge.img+14
    • jtrant
    • Author
    • Honored Contributor
    • August 11, 2020

    Anyone?

    D
    Forum|alt.badge.img+8
    • drhoten
    • Employee
    • August 13, 2020

    Hello @jtrant

    In Jamf Pro 10.23 only the device identity certificate in the MDM profile is renewed. This can be done by either renewing the built-in CA or independently for a group of one or more devices using a mass action in a smart group or advanced search.

    To redistribute a configuration profile, you would need to manually edit the config proile and select the option for distributing the changes to all devices once it is saved.

    J
    Forum|alt.badge.img+14
    • jtrant
    • Author
    • Honored Contributor
    • August 19, 2020

    Thanks @drhoten, we renewed the CA this morning but only the CA itself renewed, none of the signing certificate expiration dates changed. The documentation states that all signing certificates are automatically renewed.

    Does this only happen if they are set to expire within a certain time period? Ours are good until 10/2021 but we wanted to renew them well ahead of time as Jamf is not available outside of our network, and there are a number of clients that don't check in frequently.

    Edit: The certs did renew based on the logs, but the UI still shows the old dates. New clients are still getting certs signed by the JSS signing cert that expires in 2021.

    D
    Forum|alt.badge.img+8
    • drhoten
    • Employee
    • August 27, 2020

    Hello @jtrant

    After the CA is renewed, devices are marked as needing a new MDM profile. The next time the device is sent another MDM command it is also sent a Renew MDM Profile command. This is so we are not sending new MDM profiles to all devices in your fleet at the same time, so it may take a while for the new device identity certificates to appear on devices.

    Are you still setting new clients being signed by the the older signing certificate?

    Terms & ConditionsCookie settingsAccessibility statement