Generating an SSL certificate that has appropriate SANs for JSS URL Migration

guidotti
Contributor II

Hello, all.

We currently have 1 JSS running on a single internal server with the hostname casper.companyint.net.
I’ve added a second server to the DMZ that external clients can talk to.
We provisioned split-DNS to the hostname casper.company.net.
When we switch the URL over in PROD, I know the clients will automatically change to the new URL.
Unfortunately, the JSS self-signed Apache SSL certificate will need to be re-generated. It will then have the new casper.company.net host in the CN and subject-alt fields.
That means: when the machines who haven’t checked in yet try to check-in to the old server after I regenerate the Apache certificate, they will get an SSL untrusted error.
They would then need manual intervention to re-enroll them.

My solution for this is to have Apache instead use a self-signed certificate that has casper.company.net as the CN and casper.company.net and casper.companyint.net as the subject-alt names.
That way all the new and old clients can check in and switch over properly.

I was able to generate a .csr file that contains multiple SAN DNS entries using this documentation with OpenSSL: https://geekflare.com/san-ssl-certificate/

My issue is, when I submit this to the JSS in the PKI section, it spits out a .cer that only contains the SAN for the current JSS URL.
Am I going about this wrong? What is the best practice for this in a migration?
Ideally I would like to use the same SSL certificate with all the SAN entries for both JSS servers for IIS distribution and for Apache Tomcat.

P.S. I also know that we will need to switch out the MDM profiles with the new names a la this thread:
https://www.jamf.com/jamf-nation/discussions/14503/next-steps-after-changing-jss-url

Thanks for the assistance!
-Bruce

2 REPLIES 2

guidotti
Contributor II

Update: I was able to generate the proper CSR for this with all the SAN fields I needed. Then we were able to get it issued from our internal PKI. Once I did that, I was able to use it for IIS and for Apache. Hooray!

RushAdmin
New Contributor

any documentation you can share on how you did this? assuming standard openssl commands?