JSS Signing Certificate Expired: Sunday, January 1, 2017


Hello, I'm having an odd issue that I have no idea how to fix.

Our JSS is set up in a clustered environment, behind a load balancer (Pound). SSL decryption takes place on the load balancer, so when I originally built it, so the private key and web certificate from the built-in JSS CA are location on the LB. The 1-year certificate expired today, but I can't generate a new one that works. Using the original private key, I generate a new CSR, and then use the "Generate new certificate from CSR" button in the PKI tab of the JSS to upload the CSR and download a new web certificate. I install this on the the load balancer, restart services, and can now enroll a test machine successfully.

But, when I look at the MDM profile on the client machine, it's unverified because the "JSS Root certificate authority" is valid until 2021, but the JSS Signing Certificate says it expired on January 1st of this year.

Has anyone seen anything like this before, or have any advice? I'm open to suggestions. And if it matters, the "Apache Tomcat Settings" tab in the JSS is completely blank and greyed out, since all the SSL stuff takes place upstream at the LB


Contributor II

I know we used to use one named "Organization Name Here JSS Signing Certificate". When it expired, the JSS installed installed one named "JSS Built-in Signing Certificate."

You may think, "So?" The problem is that all devices, both iOS and macOS, show configuration profiles that were signed by the organization one now being listed as Unverified. All new configuration profiles are being verified by the JSS Built-in certificate.

Took me a bit of time to get my head around this one. Still very annoying, freaked out some of my field analysts. All because Jamf decided to name the certificate differently.

The only fix I can think of would be to remove all the profiles and have them re-install... ya, not going to do that.


Ok, I'm realizing this might be two separate things. I just put a public cert from Comodo on the LB, and my test machine enrolled successfully, since the cert is no longer expired. But my MDM profile on the test machine is still unverified, since the "JSS Signing Certificate", issued by the "JSS Built-in Certificate Authority", expired on January 1st still .

I got mixed up there for a bit and confused the web server certificate, which is on the LB, and the actual JSS certificate authority, which is still in the JSS.


I've figured out the tomcat page being greyed out -- i have multiple JSS's, each in their own /webapps/XX folder. The tomcat page is only accessible to the JSS running in the /webapps/ROOT folder.

That does not, however, seem to help me. I moved a test JSS into /ROOT, restarted Tomcat, used the Tomcat page in the JSS to "Change the SSL certificate used for HTTPS", and restarted tomcat again, but my signing certificate is still expired upon removing framework and re-enrolling.

So far, I'm not sure I've been able to find anything about this issue at all.

New Contributor III

Did you get the solution for this issue? We are facing same issue in our company.

Inside MDM Profile it is showing JSS Signing certs expired on particular date and the profiles shows unverified. However if we remove and manage mdm again it resolves the issue.

But our certificates are not expired. Not sure how it is showing that date