HTTPS downloads / IIS and Server certificates

bbot
Contributor

I Inherited our jamf/jss management and wasn't here for the provisioning.

Our server certificate in IIS that enables https downloads in Jamf is expiring next month. I see there's a Renew... option, but I'm not sure how to renew it. (options include renew an existing cert, create a renewal cert, or complete cert renewal).

Clicking renew an existing asks for an online certification authority -- where do I find this?

I'm assuming once I renew it, I'll also need to update the configuration profile to push out the new cert?

1 ACCEPTED SOLUTION

Aziz
Valued Contributor

Ah, that makes sense @bbot. They used the JSS Built-in-Ccertificate Authority in IIS because Casper managed machines already trust it.

Go to the JSS > Global Management > PKI > Download CA Certificate.

Import that certificate into IIS.

View solution in original post

10 REPLIES 10

Aziz
Valued Contributor

Is this a 3rd party certificate, internally generated certificate or an IIS self-signed certificate?

We use a 3rd party wildcard for IIS. When we're updating the SSL, we just import the new certificate, make the changes needed for HTTPS binding and remove the old SSL.

Example of the HTTPS binding with an SSL certificate:

optional image ALT text

bbot
Contributor

@Abdiaziz I'm not 100% sure. It is not issued by our CA. I wasn't here when all of this was setup.

The cert is issued by "JSS Built-In Certificate Authority"

bbot
Contributor

Not sure if this is also related, but in Settings >> System Settings >> Apache Tomcat settings >> the SSL cert is also expiring on the same day.

Sounds like I'll need to update this cert...but I need to find out how to reissue certs from the "JSS Built In Certificate Authority"

Aziz
Valued Contributor

@bbot Which certificate is expiring? The JSS, IIS or both?

bbot
Contributor

Both. I was able to renew the JSS cert by going through the Apache Tomcat settings in the JSS.

Still trying to figure out how to renew the server in IIS that relates to https downloads. @Abdiaziz

Aziz
Valued Contributor

@bbot

  1. Open IIS.
  2. Go to SEVERNAME (DOMAINUSERNAME).
  3. Go to "Server Certificates"
  4. Select any option on the right hand side (see screenshot).
    • If it's a third party SSL certificate, click on import.
  5. Go to "Default Web Site".
  6. On the right hand side, click on "Bindings" (see screenshot).
  7. Edit your HTTPS binding and select your new SSL certificate.

Screenshot of SSL Actions (right hand side):

optional image ALT text

Screenshot of Bindings (right hand side):

optional image ALT text

bbot
Contributor

Thanks. I'm following everything except step #4 -- generating the actual cert. It doesn't appear to be a third party cert as it says it was issued by "LendingClub JJSS Built-in certificate authority"

My cert right now says it is issued by "LendingClub JSS Built-in Certificate Authority"
If I select the option for create self-signed cert, it is issued by "nvacasperweb01"
If I select create domain cert, it asks to specify the online cert authority

Selecting renew an existing also asks for the online cert authority.

Aziz
Valued Contributor

Ah, that makes sense @bbot. They used the JSS Built-in-Ccertificate Authority in IIS because Casper managed machines already trust it.

Go to the JSS > Global Management > PKI > Download CA Certificate.

Import that certificate into IIS.

bbot
Contributor

@Abdiaziz I was able to download the CA cert from the PKI section, which downloads a .pem file. When comparing the two certs, the Issued By is the same. But the issued to is different.

The one downloaded from the PKI is issued to "Lending Club JJSS Built-In Certificate Authority"
The one currently in IIS is issued to "nameofmyserver.corp.com

Looks like importing into IIS requires a .pfx. I tried changing the extension to .pfx, but it says it does not contain a private key.

bbot
Contributor

I think I figured it out. I created a certificate request from IIS, then in PKI, did create certificate request from CSR.

went back into IIS and completed certificate request.

Need to test and make sure this works. Thanks so much for your help!

EDIT ---
Confirmed working. I had to do the CSR from IIS, then complete it in PKI settings in the jSS. Thanks for your help!