Moving to a 3rd Party SSL certificate

New Contributor

We've been using a self signed certificate on our Jamf Pro servers since deployment a few years ago. With the recent changes from Apple I am going to buy a certificate to meet their updated requirements and to make the system more secure.

We have 3 servers, an internal JSS, a DMZ JSS and a distribution point. I intend to create a CSR with SAN names so I can use the same certificate across all the servers.

We are running 9.98. Is it as simple as just creating the CSR, getting the certificate and importing it via the JSS for the two JSS instances and then within IIS for the DP? Anything to watch out for?



Valued Contributor III

I would consider also getting a wildcard cert if you can for your costs a bit more but I have the flexibility of just "copying the keystore file" and updating my server.xml on all my Tomcat instances that way.

New Contributor III

That should really be all you need to do. As long as you include all of the SANs you should be in good shape.

Contributor II

i would also put in a call to jamf support just to make sure. something about possibly having to re-enroll every device just scares the crap out of me.

Valued Contributor III

@jchurch always a valid step.... i'm with you on that. I'm never afraid to call them for a sanity check...even if there is 1% uncertainty. I realized early on that this is better than having a sleepless night wondering if something I'm about to do is going to make my life hell or cause me to get yelled at. That is why you pay for support.

Release Candidate Programs Tester

Security best practice would say to not use the same private key on the servers but instead to do a different one. You might also want to consider using Let's Encrypt, which is free if cost has been the issue holding you back. We use a wildcard cert with separately issued keys from Digicert.

Valued Contributor III

@john_wetter is very right. The way we did it was honestly out of convenience sake, but I'll note that I'm not the only one doing that here. That also being said, I am likely to learn from this and may go through the joy of doing different private key/public key pairs at the right time. Cost isn't the issue...we can generate unlimited wildcard certs from digicert for our domain. We did use the highest encryption they would offer us when doing that, but I am going to learn from this and consider doing it differently as the goal is to increase security not decrease it.

Source for my change of position: Our new network security guy...he said we should be okay as it would be difficult to compromise that cert but that if we did, we would have it compromised on multiple servers.