Multiple certificates on a single JSS?

New Contributor

I am installing an additional JSS in our DMZ. And it occurred to me that if we had separate DNS entries (in internal DNS and external DNS), we could use one FQDN to resolve to both JSSs. So, when a laptop user brought their machine in to work, they would be managed by the internal JSS and when they work from home they would be managed by the external JSS - and this switch would occur seamlessly.

All data would be stored on the internal JSS, since the JSS in the DMZ is just a webapp pointing to the internal server (along with a software distribution point in the DMZ).

Here is how I want to do it:
1. Internal JSS is named
2. External JSS is named
3. A new hostname is entered into both internal and external DNS. On internal DNS it resolves to SERVER1 on external DNS it resolves to SERVER2.

The problem with this approach is that we would need to add a second certificate to each JSS for JAMF.EXTERNALDOMAIN.COM and that certificate would need to be generated on the first JSS, then exported to the second JSS so the certificate for both is identical.

My questions are:
1. Is it possible for a JSS to have more than one certificate and hostname?
2. Would I have to unmanage the clients, then manage them using the single host name?

Bob Reed


Release Candidate Programs Tester

I think you're over complicating things.

I'd use one DNS & cert for both instances.

In fact, we do this now. Works well.

Externally clients connect to clustered sever in DMZ, internally our internal JSS.

New Contributor III

One DNS entry is ideal, but if you can't avoid two different names, you can create a cert with 2 subject alternative name entries with the DNS entries of both names.

Valued Contributor III

Agreed with the other posters for sure, but one thing I do that lets me deal with certs in multiple places where I need them was to sign up for a wildcard cert. For instance, our domain is * I have a wildcart cert that lets me handle any server on our domain and it works both internally and externally.

This may not work for you if you truly have different domain names both internally and externally, but it has sure helped us not need to apply for new certs for different server in our domain.