Help

Is it safe to change/replace the Tomcat SSL certificate on Jamf Pro?

hansjoerg_watzl
Contributor II

Posted on ‎11-19-2020 06:57 AM

Hi
We're using a Jamf Pro 10.21.0 on premise server on Windows 2016 server.
After a failed Jamf Pro update, we had to uninstall JSS, reinstall Jamf Pro from scratch and then restored the existing DB successfully.

Unfortunately we forgot to import our existing SSL certificate and now it's configured with a default localhost self signed SSL certificate, which gives us some issues.

Is it possible to replace this self signed SSL certificate with our previous SSL certificate (import in JSS GUI) without affecting our existing enrolled devices? (Enrollment status should be retained!)

I guess only the MDM-Profile certificate is critical, but not the SSL certificate, correct?

0 Kudos
3 REPLIES 3

alexjdale
Valued Contributor III

Posted on ‎11-19-2020 08:48 AM

Correct, you can swap out the Tomcat SSL certificate at any time without affecting your enrolled devices, as long as they trust it.

0 Kudos

hansjoerg_watzl
Contributor II

Posted on ‎11-19-2020 10:02 AM

Thanks @alexjdale , will try it today.

I'm asking, because more than a half year ago, we had some really weird connectivity issues to our Jamf server. We then tried a lot of things and one thing was unfortunately one thing too much! We broke the enrollment state of all of our already enrolled Mac devices (User approved MDM) and this can't be fixed automatically, users had to manually approve the MDM-Profile again. (Some users even lost the MDM-Profile completely and had to re-enroll the device.)

This was really a pain in the a...and I don't want to see this again. But I still don't know, what I have changed/reset, as we had this issue. I remember it was something, I normally would never do with a running Jamf Pro server...but we were really desperate... :-(

0 Kudos

alexjdale
Valued Contributor III

Posted on ‎11-19-2020 10:39 AM

Right, you do need to stay on top of your APNs cert renewal for example, since letting that expire will mean you have to re-enroll everything. The SSL cert is just used to encrypt communications on a per-connection basis. You could have different SSL certs on each Tomcat server.

0 Kudos