JDS enrollment to JSS with self-signed certificate

andyinindy
Contributor II

Is it possible to enroll a JDS into a JSS that has a self-signed certificate (generated by the JSS itself)? We are testing 9.0 and this does not seem to be possible.

Thanks,

-Andy

4 REPLIES 4

eric_hutter
New Contributor
New Contributor

Hey Andy

A JDS cannot be enroll to a JSS with a self-signed certificate, there's a specific check for it during enrollment. It's not supported for a variety of reasons.

However, a JDS can be enrolled to a JSS with a server certificate issued from the internal CA. Since that JSS CA won't be trusted by default on the JDS server, there is an option in the installers that says 'Allow untrusted SSL certificate'. This applies only to the enrollment process, and during all other communication trust will be established normally.

Hope that helps!

Eric

andyinindy
Contributor II

OK, so we generated our certificate using the internal CA on the JSS, but we still get the error about the certificate being self-signed. We are choosing to allow the untrusted SSL cert during installation of the JDS.

Any idea why the JDS would think that the cert is self-signed? I have tried recreating the cert on the JSS, restarting tomcat, etc.

Thanks,

--Andy

eric_hutter
New Contributor
New Contributor

Hmm that's strange. What do you get if you run 'openssl s_client -connect jss.mycompany.com:8443'?

For example, hitting my development JSS i get:
CONNECTED(00000003)
depth=1 /CN=Blue Sun Corp. JSS Built-in Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain 0 s:/C=US/ST=MN/L=Minneapolis/O=JAMF Software/OU=JSS/CN=foolbard.local i:/CN=Blue Sun Corp. JSS Built-in Certificate Authority 1 s:/CN=Blue Sun Corp. JSS Built-in Certificate Authority i:/CN=Blue Sun Corp. JSS Built-in Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID7TCCAtWgAwIBAgIGAUA1mrAtMA0GCSqGSIb3DQEBCwUAMDwxOjA4BgNVBAMT
MUJsdWUgU3VuIENvcnAuIEpTUyBCdWlsdC1pbiBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHhcNMTMwNzMwMTY0MTA0WhcNMTQwNzMxMTY0MTA0WjBvMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCTU4xFDASBgNVBAcTC01pbm5lYXBvbGlzMRYwFAYDVQQKEw1K
QU1GIFNvZnR3YXJlMQwwCgYDVQQLEwNKU1MxFzAVBgNVBAMTDmZvb2xiYXJkLmxv
Y2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoNt/JLc+xwR1W+it
leYM5hRugjep11N7whBVcDL7Yq6L7h1ozVu95zM8t4UnMtsXWX+6DohCEHv4USth
UPsrkCsdQREG+dcXWtCNlKDwUi1TLKw94c4TX6QsRtqTxKKs7Eu5Sz5Qj9gggHIb
BAaCtcbViHXnhu1BBhy0hxYZg1pRqJJOmnPaSmCp+dSDr+fnBNglamxCi6IUzJNA
3bpf6RQrqRl7Qi1BstZyHQ1YcYNZ8jsafzbb9bIIgAJo1BEfXqJrw4oEhSGC3xBp
lm9VzJp2tXz4fCNEW8+GbY3TZ1fB5jzkW40f/BZh/W3JLybeVhn3eXbR5nsttLbM
a4/0lQIDAQABo4HBMIG+MB0GA1UdDgQWBBTa0IVU30k/8uPB8EYckvI/QRrLszAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMAwG
A1UdEwEB/wQCMAAwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cHM6Ly9mb29sYmFyZC5s
b2NhbDo4NDQzLy9DQS9KQU1GQ1JMU2VydmxldDAfBgNVHSMEGDAWgBTAXuNMveRs
Q1aDexT6xKeubyrwSTANBgkqhkiG9w0BAQsFAAOCAQEAOTYd6Bcd3uYNZPXkX3T4
rRwkGLmDyWXC9ulFtNRpf9ChF8D88j05DOnvEHokPTaugB7K9R9+i5cozlruK3Gz
Zrn/Z9imRpPRHWUBK9OycgF6oxnnGcz4SczUe7XA4DHSJJyHKgVVnY4zv2W97p5D
obzLFr9H4QcqGbY4pEDesRjRK3maqvqZeOYlMgK3c21GjQRA6yDu0OfWFSw+cu+u
TEh+wTHUfspWn1ZRGfZwSiJSrkY091ZjM/LGR3p4DrS2ENEp1sidJvAYzLxEB4iG
AkuXcsf57Q2YcYh9HD0YupvhJjo9Ule93hfUGBY3A/BE7G7seKGce4rmzowC1NuY
Ug==
-----END CERTIFICATE-----
subject=/C=US/ST=MN/L=Minneapolis/O=JAMF Software/OU=JSS/CN=foolbard.local
issuer=/CN=Blue Sun Corp. JSS Built-in Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2670 bytes and written 288 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 5229F29493A768FF9A02970A230339ED40C0DDF1B997AF12FD0440304DA7CDA4 Session-ID-ctx: Master-Key: 08760966E9C6F09630B69B15D91B88684320E4F62EB1CD3CA76AD50DB718151F283810B686CF26E5C79ED767A2B371AF Key-Arg : None Start Time: 1378480787 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)
---

Here we see that we're getting an error about a self signed certificate. But that's the CA certificate it's complaining about.

I can tell that the server certificate is not self-signed because the subject and issuer are different. If it was self signed it would look something like:
subject=/CN=foolbard.local
issuer=/CN=foolbard.local

and I suspect there would be a different error message.

andyinindy
Contributor II

Thanks for this info, Eric.

We were actually able to sort this out by correcting the IP address that tomcat was grabbing during startup. Somehow this was set to the IP of our other JSS, which caused all sorts of weirdness (like the GUI refusing to show any certificate info after creating the cert via the built-in CA).

Anyway, on to other issues, such as migrating our distribution point to a JDS!