Changing SSL Cert Gotchas

jonkru
New Contributor

We're planning to change the SSL cert from the default built-in JSS cert from one of our trusted 3rd party vendors.

I've read a few of the threads here indicating that it is relatively straightforward, especially since the utility was added to the JSS Settings > Apache Tomcat Settings to update the cert from the web portal. Uploading the new certificate should not be a problem.

My question revolves around devices and propagation of the new cert. All corporate devices are enrolled in DEP.

Are there any concerns with devices that may not have contacted the JSS recently not being able to securely communicate (after the cert update), and thus not getting the new certificate? Will these devices need to be re-enrolled?

Any other gotchas that may affect support staff and user devices?

One of the support reps seemed to be confident that we could just go ahead and change it, but I'd rather be sure.

Thanks!

Some of the information I've referenced so far:
http://docs.jamf.com/10.5.0/jamf-pro/administrator-guide/SSL_Certificate.html https://www.johnkitzmiller.com/blog/dep-fails-in-casper-when-using-a-publicly-trusted-ssl-certificate/
https://www.jamf.com/jamf-nation/articles/447/safely-configuring-ssl-certificate-verification
https://www.jamf.com/jamf-nation/articles/455/change-to-the-ssl-certificate-verification-setting-in-jamf-pro-9-98-or-later
https://www.jamf.com/blog/enhancements-to-certificate-security-for-mdm-enrollment/

3 REPLIES 3

allanp81
Valued Contributor

We've done this on our dev and prod environments (moved from self signed to institution wildcard cert) and didn't encounter any issues.

jonkru
New Contributor

Thanks for the response! So, you changed this in prod and all the devices called back just fine after swapping the cert?

Any weird or additional steps you encountered?

Sincere thanks!

allanp81
Valued Contributor

@jonkru all devices just picked up the change as far as I can tell.

The only issue I had certificate wise was when I upgraded our dev environment from Jamf Pro 10.something to 10.3.0, for some reason it reverted back to the self signed certificate so I had to reapply our wildcard certificate. I didn't have this issue upgrading our production environment from 9.98 to 104.1 though.