Is it possible to enroll a JDS into a JSS that has a self-signed certificate (generated by the JSS itself)? We are testing 9.0 and this does not seem to be possible.
A JDS cannot be enroll to a JSS with a self-signed certificate, there's a specific check for it during enrollment. It's not supported for a variety of reasons.
However, a JDS can be enrolled to a JSS with a server certificate issued from the internal CA. Since that JSS CA won't be trusted by default on the JDS server, there is an option in the installers that says 'Allow untrusted SSL certificate'. This applies only to the enrollment process, and during all other communication trust will be established normally.
Hope that helps!
OK, so we generated our certificate using the internal CA on the JSS, but we still get the error about the certificate being self-signed. We are choosing to allow the untrusted SSL cert during installation of the JDS.
Any idea why the JDS would think that the cert is self-signed? I have tried recreating the cert on the JSS, restarting tomcat, etc.
Hmm that's strange. What do you get if you run 'openssl s_client -connect jss.mycompany.com:8443'?
For example, hitting my development JSS i get:
depth=1 /CN=Blue Sun Corp. JSS Built-in Certificate Authority
verify error:num=19:self signed certificate in certificate chain
Certificate chain 0 s:/C=US/ST=MN/L=Minneapolis/O=JAMF Software/OU=JSS/CN=foolbard.local i:/CN=Blue Sun Corp. JSS Built-in Certificate Authority 1 s:/CN=Blue Sun Corp. JSS Built-in Certificate Authority i:/CN=Blue Sun Corp. JSS Built-in Certificate Authority
issuer=/CN=Blue Sun Corp. JSS Built-in Certificate Authority
No client certificate CA names sent
SSL handshake has read 2670 bytes and written 288 bytes
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 5229F29493A768FF9A02970A230339ED40C0DDF1B997AF12FD0440304DA7CDA4 Session-ID-ctx: Master-Key: 08760966E9C6F09630B69B15D91B88684320E4F62EB1CD3CA76AD50DB718151F283810B686CF26E5C79ED767A2B371AF Key-Arg : None Start Time: 1378480787 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)
Here we see that we're getting an error about a self signed certificate. But that's the CA certificate it's complaining about.
I can tell that the server certificate is not self-signed because the subject and issuer are different. If it was self signed it would look something like:
and I suspect there would be a different error message.
Thanks for this info, Eric.
We were actually able to sort this out by correcting the IP address that tomcat was grabbing during startup. Somehow this was set to the IP of our other JSS, which caused all sorts of weirdness (like the GUI refusing to show any certificate info after creating the cert via the built-in CA).
Anyway, on to other issues, such as migrating our distribution point to a JDS!