You should be safe as long as the computers are going to trust the new cert without any change to them. I'd double check with jamf support though.

The other thing I wanted to note is - you can tell your computer to trust the self signed cert. Unless you are using a lot of random computers to manage the jss, it's not usually worth the hassle. And if you are using managed machines - you could push the self-signed cert out as a trusted one using the jss and never have to worry on anything but an unmanaged system.

Yeah you don't want clients explicitly trusting the cert itself. You want them trusting the *root* cert which your tomcat cert is derived from. Explicitly trusting identity certs is a bad idea if you need to revoke it at some point.

+1 @ Jared. Your clients... ALL of them must recognize the root (I.e. Verisign, godaddy... Or whathaveyou etc) BEFORE you push the cert. just finished my second day of the CJA and we had a really lively discussion about what would happen if this isn't done and reverified. There are a few published extension attributes from JAMF as I recall to help you check on this... Sorry not to post a link, but I'm tired enough to have already had to fix several typos in this post and who knows what other stuff I've missed. One way or another, be very very happy that your not going to use the self signed cert any longer... Though you should really be changing it for reasons other than sheer annoyance ;-)

I have half-a-hunch that you work somewhere that has an internal CA (for digital signatures, authentication, SSL-enabled sites). That should be the authority by which your JSS cert is trusted.