Help

Changing ADCS connectors

abfajerman
New Contributor II

Posted on ‎01-28-2021 09:58 AM

What is the lift required to change ADCS connectors in Jamf Pro? The situation is that the current ADCS connector is in a dev environment but we want to switch to new prod ADCS connector going forward. Nothing about the certificates being assigned would change, just the connector itself. What would be involved with this? From what I can find, I would need to update the ADCS URL and upload the certificates generated on the new prod ADCS connector. Is that all? Also, what would the end user experience? Would they be prompted for anything or would the certificates automatically renew? Thanks.

Reply
6 REPLIES 6

kburns
New Contributor III

Posted on ‎01-28-2021 12:30 PM

We're in exactly the same scenario right now. For some reason our systems engineering team built it in Dev in Azure instead of Prod and now we have to move it. Hopefully someone has gone through this and can help guide us :)

Reply

bwoods
Valued Contributor

Posted on ‎01-29-2021 06:42 AM

I think you just need to reinstall the ADCS Connector on your Windows 2016 server with your production Jamf URL. This will generate new certs that you would need to upload to your production Jamf Pro server.

Reply

abfajerman
New Contributor II

Posted on ‎01-29-2021 08:10 AM

That was my thought as well. We're not touching the actual cert templates or policies that get pushed to Macs so my hope is that end users don't notice anything.

0 Kudos
Reply

patgmac
Contributor III

Posted on ‎01-29-2021 08:49 AM

Once you get that switched, you're going to want to confirm cert renewal works as expected. I think as long as you're using the same PKI config, you should be fine.

0 Kudos
Reply

bwoods
Valued Contributor

Posted on ‎01-29-2021 11:42 AM

@abfajerman once you make the switch to your production server, your test server certs will most likely disappear/fail, because the connection to your CA has been cut short. Your users will notice if you've already deployed test certs to them. I suggest making the switch on a weekend and have them receive the new certs as they check-in.

0 Kudos
Reply

Razvan-PKI
New Contributor

Posted on ‎11-18-2021 03:35 PM

Quick question - what is the expected behavior for certs deployed to registered devices, in case the CA server hostname changes (not ADCS Connector, but Issuing CA server hostname)? The CA itself stays the same, only the hostname changes.

Is cert re-issuance and re-reployment triggered, does JAMF treat this as a new CA and decides a re-push is needed? I've seen a similar behavior with other MDM platforms using NDES, if the SCEP URL would change, all certs would be re-issued and redeployed...

Thanks in advance for your help and support!

0 Kudos
Reply