Hello, all.
We currently have 1 JSS running on a single internal server with the hostname casper.companyint.net.
I’ve added a second server to the DMZ that external clients can talk to.
We provisioned split-DNS to the hostname casper.company.net.
When we switch the URL over in PROD, I know the clients will automatically change to the new URL.
Unfortunately, the JSS self-signed Apache SSL certificate will need to be re-generated. It will then have the new casper.company.net host in the CN and subject-alt fields.
That means: when the machines who haven’t checked in yet try to check-in to the old server after I regenerate the Apache certificate, they will get an SSL untrusted error.
They would then need manual intervention to re-enroll them.
My solution for this is to have Apache instead use a self-signed certificate that has casper.company.net as the CN and casper.company.net and casper.companyint.net as the subject-alt names.
That way all the new and old clients can check in and switch over properly.
I was able to generate a .csr file that contains multiple SAN DNS entries using this documentation with OpenSSL: https://geekflare.com/san-ssl-certificate/
My issue is, when I submit this to the JSS in the PKI section, it spits out a .cer that only contains the SAN for the current JSS URL.
Am I going about this wrong? What is the best practice for this in a migration?
Ideally I would like to use the same SSL certificate with all the SAN entries for both JSS servers for IIS distribution and for Apache Tomcat.
P.S. I also know that we will need to switch out the MDM profiles with the new names a la this thread:
https://www.jamf.com/jamf-nation/discussions/14503/next-steps-after-changing-jss-url
Thanks for the assistance!
-Bruce
