+7Hi JAMF nation,
The Cert: CN=JSS Built-In Signing Certificate, OU=FILEVAULT2COMM expired in my paternity leave and when i try to renew it i have only the possibility to revoke it in Settings -> Global Management -> PKI Certificate -> Jamf Pro Built-in CA.
Do i have a chance to renew that? Or do I have to create a new one, but that means to recreate all Recovery Keys, right?
Thank you very much.
BR
Daniel
Best answer by dpratl
Hi @TheWarmAtlantic,
My ticket will be closed soon.
General answer from support: Certificates from the internal CA are managed automatically when they are in use.
We didn't use them, even we had one in a Configuration Profile:
But in the same ConfProfile we set up the FileVault Personal Recovery Key Encryption Method to "Automatically" (red in the screenshot) - that means the Built In Cert is used automatically, not the one we have added to the ConfProfile:
After removing the expired Cert from the ConfProfile and distributing to my Testclient a new Cert was shown:
All seems to work, these certs didn't have any effect on our Macs.
I hope that helps
BR
Daniel
+8
all 4 of these are about to expire for me and I can't find any documentation on how to renew them. so if you found out do let me know.
+7I found this here on how to renew your certificates - https://docs.jamf.com/technical-articles/Renewing_Jamf_Pro_JSS_Built-In_Certificate_Authority_CA.html
If you are having problems with that I recommend contacting Jamf support to avoid any interruption as this would indeed be catastrophic.
+8I found this here on how to renew your certificates - https://docs.jamf.com/technical-articles/Renewing_Jamf_Pro_JSS_Built-In_Certificate_Authority_CA.html
If you are having problems with that I recommend contacting Jamf support to avoid any interruption as this would indeed be catastrophic.
my built-in CA doesn't expire for another 5 years... these are signing certificates signed by that CA. it would be strange to have to renew the CA to renew a signing certificate.
+7
all 4 of these are about to expire for me and I can't find any documentation on how to renew them. so if you found out do let me know.
I have opened a support ticket for this, as soon as we get that problem solved I will post it here.
BR
Daniel
+7Hi @TheWarmAtlantic,
My ticket will be closed soon.
General answer from support: Certificates from the internal CA are managed automatically when they are in use.
We didn't use them, even we had one in a Configuration Profile:
But in the same ConfProfile we set up the FileVault Personal Recovery Key Encryption Method to "Automatically" (red in the screenshot) - that means the Built In Cert is used automatically, not the one we have added to the ConfProfile:
After removing the expired Cert from the ConfProfile and distributing to my Testclient a new Cert was shown:
All seems to work, these certs didn't have any effect on our Macs.
I hope that helps
BR
Daniel
+7I have opened a support ticket for this, as soon as we get that problem solved I will post it here.
BR
Daniel
@dpratl have you received any reponse to your ticket?
All the certificates listed by @TheWarmAtlantic above are expired for us as well.
+20This is probably going to impact a lot of Jamf customers soon, both on-prem and in Jamf Cloud. They have a Product Issue where the FV2 signing certificate (used to escrow keys) expires 5 years after the Built-in CA was generated.
PI-008323 - Configuration profiles created before the signing certificate expiration are not updated with a new FilevaultComm2 cert
Many of you created new profiles in 2017-2018 to account for changes in 10.13, APFS, and SecureToken. Even today, you can deploy a profile with an expired certificate without any problems. macOS and Jamf do not check the validity of certificates within the profile. That's the admin's responsibility.
To complicate matters, in the Jamf Pro console, the certificate payload of the existing profile appears empty and awaiting configuration. You have to edit the profile, then select Certificate, then click the Configure button. Now you can see the expired cert AND a new blank entry. (I'm calling this behavior a separate Jamf UI bug, since any cert attached to a profile should be displayed no matter what).
In short ... if you have upgraded to Jamf 10.31 or later, you have to generate a brand new configuration profile with the FileVault payloads in order to generate the new FV2 Escrow Cert.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
