We've been using a self signed certificate on our Jamf Pro servers since deployment a few years ago. With the recent changes from Apple I am going to buy a certificate to meet their updated requirements and to make the system more secure.
We have 3 servers, an internal JSS, a DMZ JSS and a distribution point. I intend to create a CSR with SAN names so I can use the same certificate across all the servers.
We are running 9.98. Is it as simple as just creating the CSR, getting the certificate and importing it via the JSS for the two JSS instances and then within IIS for the DP? Anything to watch out for?
I would consider also getting a wildcard cert if you can for your domain...it costs a bit more but I have the flexibility of just "copying the keystore file" and updating my server.xml on all my Tomcat instances that way.
@jchurch always a valid step.... i'm with you on that. I'm never afraid to call them for a sanity check...even if there is 1% uncertainty. I realized early on that this is better than having a sleepless night wondering if something I'm about to do is going to make my life hell or cause me to get yelled at. That is why you pay for support.
@john_wetter is very right. The way we did it was honestly out of convenience sake, but I'll note that I'm not the only one doing that here. That also being said, I am likely to learn from this and may go through the joy of doing different private key/public key pairs at the right time. Cost isn't the issue...we can generate unlimited wildcard certs from digicert for our domain. We did use the highest encryption they would offer us when doing that, but I am going to learn from this and consider doing it differently as the goal is to increase security not decrease it.
Source for my change of position: Our new network security guy...he said we should be okay as it would be difficult to compromise that cert but that if we did, we would have it compromised on multiple servers.