Question

same SSL certificate for internal and DMZ jss?

Forum|Forum|8 years ago
July 20, 2017
2 replies
30 views

+4

mallej
Contributor

Hello,
do the certificates for internal and DMZ jss have to be the same?
At the moment our internal jss has only a self-signed certificate and we plan to install a DMZ jss with a Let’s Encrypt certificate.
Because Let’s Encrypt needs to update every 90 days or so and have to talk to the internet it´s not really possible to use the Let’s Encrypt certificate on the internal jss.

So, do the certificates for internal and DMZ jss have to be the same?
Is it ok to use an self-signed certificate for the internal jss and an Let’s Encrypt certificated on the DMZ jss?

+18

davidacland
Valued Contributor
Forum|Forum|8 years ago
July 20, 2017

It depends on the security settings your using in the JSS. If it's set to require a valid cert (Computer Management > Security > Enable SSL certificate verification), this will stop devices checking in to the internal JSS.

If you have any iOS devices, they will have a problem.

It would be best to have a valid cert on both sides, or to direct all client devices to the DMZ JSS.

Like

+4

mallej
Author
Contributor
Forum|Forum|8 years ago
July 20, 2017

Hi David,

yes, we want to have iOS devices.
At the moment our Setting is: SSL Certificate Verification: Always except during enrollment

So, what i understand, the best way for us (using Let’s Encrypt certificate) would be to use only the DMZ jss for client connections and to leave the internal jss "in the background".
Are there any drawbacks not using both jss (in Split DNS) for device connections?

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded