- Jamf Nation Community
- Products
- Jamf Pro
- JDS enrollment to JSS with self-signed certificate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
JDS enrollment to JSS with self-signed certificate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2013 11:31 AM
Is it possible to enroll a JDS into a JSS that has a self-signed certificate (generated by the JSS itself)? We are testing 9.0 and this does not seem to be possible.
Thanks,
-Andy
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2013 12:25 PM
Hey Andy
A JDS cannot be enroll to a JSS with a self-signed certificate, there's a specific check for it during enrollment. It's not supported for a variety of reasons.
However, a JDS can be enrolled to a JSS with a server certificate issued from the internal CA. Since that JSS CA won't be trusted by default on the JDS server, there is an option in the installers that says 'Allow untrusted SSL certificate'. This applies only to the enrollment process, and during all other communication trust will be established normally.
Hope that helps!
Eric
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2013 12:54 PM
OK, so we generated our certificate using the internal CA on the JSS, but we still get the error about the certificate being self-signed. We are choosing to allow the untrusted SSL cert during installation of the JDS.
Any idea why the JDS would think that the cert is self-signed? I have tried recreating the cert on the JSS, restarting tomcat, etc.
Thanks,
--Andy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-06-2013 07:33 AM
Hmm that's strange. What do you get if you run 'openssl s_client -connect jss.mycompany.com:8443'?
For example, hitting my development JSS i get:
CONNECTED(00000003)
depth=1 /CN=Blue Sun Corp. JSS Built-in Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=MN/L=Minneapolis/O=JAMF Software/OU=JSS/CN=foolbard.local
i:/CN=Blue Sun Corp. JSS Built-in Certificate Authority
1 s:/CN=Blue Sun Corp. JSS Built-in Certificate Authority
i:/CN=Blue Sun Corp. JSS Built-in Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID7TCCAtWgAwIBAgIGAUA1mrAtMA0GCSqGSIb3DQEBCwUAMDwxOjA4BgNVBAMT
MUJsdWUgU3VuIENvcnAuIEpTUyBCdWlsdC1pbiBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHhcNMTMwNzMwMTY0MTA0WhcNMTQwNzMxMTY0MTA0WjBvMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCTU4xFDASBgNVBAcTC01pbm5lYXBvbGlzMRYwFAYDVQQKEw1K
QU1GIFNvZnR3YXJlMQwwCgYDVQQLEwNKU1MxFzAVBgNVBAMTDmZvb2xiYXJkLmxv
Y2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoNt/JLc+xwR1W+it
leYM5hRugjep11N7whBVcDL7Yq6L7h1ozVu95zM8t4UnMtsXWX+6DohCEHv4USth
UPsrkCsdQREG+dcXWtCNlKDwUi1TLKw94c4TX6QsRtqTxKKs7Eu5Sz5Qj9gggHIb
BAaCtcbViHXnhu1BBhy0hxYZg1pRqJJOmnPaSmCp+dSDr+fnBNglamxCi6IUzJNA
3bpf6RQrqRl7Qi1BstZyHQ1YcYNZ8jsafzbb9bIIgAJo1BEfXqJrw4oEhSGC3xBp
lm9VzJp2tXz4fCNEW8+GbY3TZ1fB5jzkW40f/BZh/W3JLybeVhn3eXbR5nsttLbM
a4/0lQIDAQABo4HBMIG+MB0GA1UdDgQWBBTa0IVU30k/8uPB8EYckvI/QRrLszAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMAwG
A1UdEwEB/wQCMAAwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cHM6Ly9mb29sYmFyZC5s
b2NhbDo4NDQzLy9DQS9KQU1GQ1JMU2VydmxldDAfBgNVHSMEGDAWgBTAXuNMveRs
Q1aDexT6xKeubyrwSTANBgkqhkiG9w0BAQsFAAOCAQEAOTYd6Bcd3uYNZPXkX3T4
rRwkGLmDyWXC9ulFtNRpf9ChF8D88j05DOnvEHokPTaugB7K9R9+i5cozlruK3Gz
Zrn/Z9imRpPRHWUBK9OycgF6oxnnGcz4SczUe7XA4DHSJJyHKgVVnY4zv2W97p5D
obzLFr9H4QcqGbY4pEDesRjRK3maqvqZeOYlMgK3c21GjQRA6yDu0OfWFSw+cu+u
TEh+wTHUfspWn1ZRGfZwSiJSrkY091ZjM/LGR3p4DrS2ENEp1sidJvAYzLxEB4iG
AkuXcsf57Q2YcYh9HD0YupvhJjo9Ule93hfUGBY3A/BE7G7seKGce4rmzowC1NuY
Ug==
-----END CERTIFICATE-----
subject=/C=US/ST=MN/L=Minneapolis/O=JAMF Software/OU=JSS/CN=foolbard.local
issuer=/CN=Blue Sun Corp. JSS Built-in Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2670 bytes and written 288 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 5229F29493A768FF9A02970A230339ED40C0DDF1B997AF12FD0440304DA7CDA4
Session-ID-ctx:
Master-Key: 08760966E9C6F09630B69B15D91B88684320E4F62EB1CD3CA76AD50DB718151F283810B686CF26E5C79ED767A2B371AF
Key-Arg : None
Start Time: 1378480787
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Here we see that we're getting an error about a self signed certificate. But that's the CA certificate it's complaining about.
I can tell that the server certificate is not self-signed because the subject and issuer are different. If it was self signed it would look something like:
subject=/CN=foolbard.local
issuer=/CN=foolbard.local
and I suspect there would be a different error message.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-09-2013 08:32 AM
Thanks for this info, Eric.
We were actually able to sort this out by correcting the IP address that tomcat was grabbing during startup. Somehow this was set to the IP of our other JSS, which caused all sorts of weirdness (like the GUI refusing to show any certificate info after creating the cert via the built-in CA).
Anyway, on to other issues, such as migrating our distribution point to a JDS!
