Jamf Nation Community

ooshnoo · ‎09-17-2015

Peeps...

Has anyone tried 9.8 and uploading their Apple provided GSX certificate?

I did so last night, and got an error stating that the key pair was missing. (see attached)

I already emailed Apple GSX support, but just thought I'd throw this out there to see if anyone else was experiencing the same...

ooshnoo · ‎09-17-2015

we go this sorted. The CN entry in the CSR had a typo. Once fixed and new cert created by Apple, all is well.

Unreal. For a company based on simplicity, Apple sure made GSX access a pain in the butt.

View solution in original post

tom · ‎09-17-2015

Does Step 3 in the KB for GSX help? https://jamfnation.jamfsoftware.com/article.html?id=26

It looks like for a CSR that is not generated in the JSS for GSX, directions for generating the the key-pair are shown in Step 3

ooshnoo · ‎09-17-2015

Thanks Tom,

Did not see those instructions, but it won't work anyway, as when I dragged the cert into Keychain Access, the private key is missing.

Guess I gotta generate a new CSR and deal with Apple again.

mradams · ‎09-17-2015

I was having the same issue, I contacted GSX Web Support and was told "The private key would have been created on your side when you created the CSR file.

If you do not have the private key you can create a new CSR and a new Private Key, and I will revoke the old Certificates and create new PEM files and send them back to you."

What we ended up doing was create a .p12 file from our privatekey submitted to GSX Web Support and the Applecare..pem file received back. You will need the password used to create the privatekey.

Instructions are located at https://www.tbs-certificates.co.uk/FAQ/en/288.html

I now have connection to GSX and have downloaded purchasing information on over 250 devices to verify.

ooshnoo · ‎09-17-2015

Ok, so I generated a new CSR..this time from the JSS, sent it to apple and this time they’re telling me the following:

"Certificate request is INVALID! The following errors must be addressed before submitting:
Organization is required
Invalid signature algorithm detected. Signature algorithm must use SHA-2 (Note: SHA-1 and MD5 are too weak and not supported).”

Ugh….

tom · ‎09-17-2015

matt.smalley posted an openssl command that could be used to create the p12 file at https://jamfnation.jamfsoftware.com/discussion.html?id=16640.

If that works for you, you could avoid generating another CSR.

ooshnoo · ‎09-17-2015

Thanks fellas.

I just found the initial CSR and private key that I generated way back in May, and ultimately sent to Apple.

If I sent them both files, I find it ridiculous they sent me a cert back that didn't contain the key.

lammersst · ‎09-17-2015

@mradams Thanks so much for info, we finally got ours working with your instructions. I to had contacted Apple again and they wanted to create new certs and what not.. Thank goodness I found this Jamf article before I had to redo all of that. Thanks again!

ooshnoo · ‎09-17-2015

ok, so I've managed to get the new cert from Apple and merged it with the private key created with the CSR. It's uploaded into JSS successfully, but when I test it, it fails. See below.

Any ideas? I've verified the sold-to account is correct.

mradams · ‎09-17-2015

Verify the .pem received from Apple has the correct sold to account number in its name.

ooshnoo · ‎09-17-2015

It does, yet still fails.

ooshnoo · ‎09-17-2015

we go this sorted. The CN entry in the CSR had a typo. Once fixed and new cert created by Apple, all is well.

Unreal. For a company based on simplicity, Apple sure made GSX access a pain in the butt.

Jamf Nation Community

9.8, GSX and Certificate Error