Private Key for built-in JSS CA? (traffic shaping)

Valued Contributor II

Client with multiple JDSes around the world.

Their JSS is configured with a new Tomcat keystore, and a certificate issued by their Active Directory Certificate Authority. This is being used for client-to-JSS and web console connections.

However, the JSS-to-JDS traffic uses the Built-in CA from when the JSS was installed. And now the client wants to use WebSeal network appliances to shape and/or control the JDS replication traffic.

To inspect this traffic, the WebSeal needs the JSS Built-in CA, which we can download from the Management Settings->Global Management->PKI.

To actually shape this traffic, the WebSeal also needs the private key for this certificate. However, I have apparently stumped JAMF Support in figuring out where this private key may be stored (perhaps in the MySQL database somewhere? It's not in the Tomcat keystore, which was deleted/replaced with a new one when the AD CA was installed)?

Alternatively, is it possible to have JSS-to-JDS replication use the AD cert and private key? We have the certificate and know everything about the Tomcat keystore and could use Portecle to dump out the private key...


Release Candidate Programs Tester

@RobertHammen That'll be the Ad CA's private key right?

Valued Contributor II

Nope - the JSS to JDS traffic is using the JSS Built-In CA, which was set up automagically when the JSS was installed. But where is the private key stored? Not in the Tomcat keystore, since that was nuked when the AD CA-issued cert was added. Don't think it's in the Java keystore. Wondering if it's somewhere in the Tomcat directory or the MySQL database.

Or, if we could get JSS to JDS traffic to use the AD CA-issued certificate and private key in the Tomcat keystore, we'd be good.


New Contributor II

I'm not sure if we're referring to the same certificate, but you can create a backup of the CA in the JSS at the PKI panel. This backup is a p12 file which includes the private key. Best