Posted on 03-02-2016 11:48 AM
I Inherited our jamf/jss management and wasn't here for the provisioning.
Our server certificate in IIS that enables https downloads in Jamf is expiring next month. I see there's a Renew... option, but I'm not sure how to renew it. (options include renew an existing cert, create a renewal cert, or complete cert renewal).
Clicking renew an existing asks for an online certification authority -- where do I find this?
I'm assuming once I renew it, I'll also need to update the configuration profile to push out the new cert?
Solved! Go to Solution.
Posted on 03-03-2016 09:53 AM
Ah, that makes sense @bbot. They used the JSS Built-in-Ccertificate Authority in IIS because Casper managed machines already trust it.
Go to the JSS > Global Management > PKI > Download CA Certificate.
Import that certificate into IIS.
Posted on 03-02-2016 11:55 AM
Is this a 3rd party certificate, internally generated certificate or an IIS self-signed certificate?
We use a 3rd party wildcard for IIS. When we're updating the SSL, we just import the new certificate, make the changes needed for HTTPS binding and remove the old SSL.
Example of the HTTPS binding with an SSL certificate:
Posted on 03-02-2016 12:51 PM
@Abdiaziz I'm not 100% sure. It is not issued by our CA. I wasn't here when all of this was setup.
The cert is issued by "JSS Built-In Certificate Authority"
Posted on 03-02-2016 01:26 PM
Not sure if this is also related, but in Settings >> System Settings >> Apache Tomcat settings >> the SSL cert is also expiring on the same day.
Sounds like I'll need to update this cert...but I need to find out how to reissue certs from the "JSS Built In Certificate Authority"
Posted on 03-03-2016 06:41 AM
@bbot Which certificate is expiring? The JSS, IIS or both?
Posted on 03-03-2016 09:14 AM
Both. I was able to renew the JSS cert by going through the Apache Tomcat settings in the JSS.
Still trying to figure out how to renew the server in IIS that relates to https downloads. @Abdiaziz
Posted on 03-03-2016 09:33 AM
Screenshot of SSL Actions (right hand side):
Screenshot of Bindings (right hand side):
Posted on 03-03-2016 09:43 AM
Thanks. I'm following everything except step #4 -- generating the actual cert. It doesn't appear to be a third party cert as it says it was issued by "LendingClub JJSS Built-in certificate authority"
My cert right now says it is issued by "LendingClub JSS Built-in Certificate Authority"
If I select the option for create self-signed cert, it is issued by "nvacasperweb01"
If I select create domain cert, it asks to specify the online cert authority
Selecting renew an existing also asks for the online cert authority.
Posted on 03-03-2016 09:53 AM
Ah, that makes sense @bbot. They used the JSS Built-in-Ccertificate Authority in IIS because Casper managed machines already trust it.
Go to the JSS > Global Management > PKI > Download CA Certificate.
Import that certificate into IIS.
Posted on 03-03-2016 10:17 AM
@Abdiaziz I was able to download the CA cert from the PKI section, which downloads a .pem file. When comparing the two certs, the Issued By is the same. But the issued to is different.
The one downloaded from the PKI is issued to "Lending Club JJSS Built-In Certificate Authority"
The one currently in IIS is issued to "nameofmyserver.corp.com
Looks like importing into IIS requires a .pfx. I tried changing the extension to .pfx, but it says it does not contain a private key.
Posted on 03-03-2016 10:27 AM
I think I figured it out. I created a certificate request from IIS, then in PKI, did create certificate request from CSR.
went back into IIS and completed certificate request.
Need to test and make sure this works. Thanks so much for your help!
EDIT ---
Confirmed working. I had to do the CSR from IIS, then complete it in PKI settings in the jSS. Thanks for your help!