How to update JSS Built in CA?

Poseiden951
Contributor

Hello everyone,

Currently testing moving my JSS to a new box, with a new DNS and I would like to update the built in CA.

Old JSS: jss.domain.extra.com:8443
New JSS: casper.domain.com:8443

TomCat has been updated to reflect casper.domain.com

I currently have the new JSS running (testing it) and when I go to Global Management > PKI > Built in CA > Download CA Certificate I get the old CA (jss.domain.extra.com).

How can I update that? I searched around on jamf nation and found no solutions. Thanks!

1 ACCEPTED SOLUTION

Poseiden951
Contributor

@kitzy

I'm 100% aware of the consequences. But, I'll just keep our old DNS and save myself the trouble.

View solution in original post

5 REPLIES 5

kitzy
Contributor III

The short answer is, you wouldn't really want to do this. Changing the CA would invalidate all of the certificates it's issued, breaking the trust between enrolled machines and the JSS.

When moving a JSS to a new box, with a new DNS name, I'd recommend starting with a fresh database.

Poseiden951
Contributor

@kitzy

Breaking the trust would be fine and I really don't want to start a new database. Are there any guides on how to create a new CA?

kitzy
Contributor III

When you say breaking the trust would be fine, you do realize that would mean that devices would stop communicating with your JSS, right? Unless you're planning to re-image / re-enroll all of your devices after the change anyway, I would still highly advise against this.

I haven't seen anything posted publicly on how to reset the CA, I'm guessing because it has the opportunity to be so destructive. Have you tried opening a case with your TAM? They can probably help you with this.

Poseiden951
Contributor

@kitzy

I'm 100% aware of the consequences. But, I'll just keep our old DNS and save myself the trouble.

franton
Valued Contributor III

@kitzy Actually for a project i'm working on (personal), I'd be interested in how to do this. My own use case is a JSS that doesn't actually have any computers enrolled into it.