Posted on 06-25-2018 08:17 AM
We're planning to change the SSL cert from the default built-in JSS cert from one of our trusted 3rd party vendors.
I've read a few of the threads here indicating that it is relatively straightforward, especially since the utility was added to the JSS Settings > Apache Tomcat Settings to update the cert from the web portal. Uploading the new certificate should not be a problem.
My question revolves around devices and propagation of the new cert. All corporate devices are enrolled in DEP.
Are there any concerns with devices that may not have contacted the JSS recently not being able to securely communicate (after the cert update), and thus not getting the new certificate? Will these devices need to be re-enrolled?
Any other gotchas that may affect support staff and user devices?
One of the support reps seemed to be confident that we could just go ahead and change it, but I'd rather be sure.
Thanks!
Some of the information I've referenced so far:
http://docs.jamf.com/10.5.0/jamf-pro/administrator-guide/SSL_Certificate.html
https://www.johnkitzmiller.com/blog/dep-fails-in-casper-when-using-a-publicly-trusted-ssl-certificate/
https://www.jamf.com/jamf-nation/articles/447/safely-configuring-ssl-certificate-verification
https://www.jamf.com/jamf-nation/articles/455/change-to-the-ssl-certificate-verification-setting-in-jamf-pro-9-98-or-later
https://www.jamf.com/blog/enhancements-to-certificate-security-for-mdm-enrollment/
Posted on 06-25-2018 08:23 AM
We've done this on our dev and prod environments (moved from self signed to institution wildcard cert) and didn't encounter any issues.
Posted on 06-28-2018 09:33 AM
Thanks for the response! So, you changed this in prod and all the devices called back just fine after swapping the cert?
Any weird or additional steps you encountered?
Sincere thanks!
Posted on 06-29-2018 02:37 AM
@jonkru all devices just picked up the change as far as I can tell.
The only issue I had certificate wise was when I upgraded our dev environment from Jamf Pro 10.something to 10.3.0, for some reason it reverted back to the self signed certificate so I had to reapply our wildcard certificate. I didn't have this issue upgrading our production environment from 9.98 to 104.1 though.