Renew GSX certificate step(s)

dniven
New Contributor III

I've inherited a JSS from someone else and see steps detailed in link below to set up a JSS - GSX connection but in our case we will be renewing it — 1) are those same steps needed for that?

Also 2) can the same GSX certificate once renewed be added to two JSSes?

https://www.jamf.com/jamf-nation/articles/26/integrating-with-apple-s-global-service-exchange-gsx

Thanks for pointing me in the right direction...

9 REPLIES 9

MLBZ521
Contributor III

(I know I'm responding to an old post, hopefully this will help someone at some point.)

 

1) Kinda.  I generate the CSR manually with (this is a copy of my internal documentation):

  1. Run the following command in a terminal:  
    openssl genrsa -aes256 -out privatekey.pem 2048
  2. When prompted, enter the passphrase for the private key. This is your secure passphrase and should not be shared with anyone
  3. Run the following command in a terminal:  
    openssl req -new -sha256 -key privatekey.pem -out certreq.csr
  4. Enter the following information when prompted:
    1. Passphrase used in earlier step
    2. Country Name (2 letter code) []
    3. State or Province Name (full name) []
    4. Locality Name (eg, city) []
    5. Organization Name (eg, company) []
    6. Organizational Unit Name (eg, section) []
    7. Common Name (eg, fully qualified host name) []:  
      1. In of format: <AppleCare-Partner-XXXXXXXXXX.Test.apple.com> or <AppleCare-Partner-XXXXXXXXXX.Prod.apple.com>
      2. where XXXXXXXXXX is your company or organization's Apple-assigned Sold To number, including leading zeros
    8. Email Address []:
    9. Any challenge password:
  5. Zip the CSR file and to gsxws@apple.com and CC your Apple account reps, and include the following information in the body of the email:
    1. Sold To & Ship To (account numbers): ####### / #######
      Environment you are attempting to access: GSX Documentation Access
      AppleID used for authentication: 
      API consumed: GSX
       
      GSX Sold-to account number: #######
      GSX Ship-to account number: #######
      Access recipient email address: 
      Requestor’s role: Jamf Pro Administrator
      Primary IT contact name: 
      Primary IT contact email: 
      Primary IT contact phone number: 
      Primary business contact name(s) for API related communications: 
      Primary business contact email address(es) for API related communications: 

 

After receiving the certs back from Apple, you can then follow the guide you linked, specifically the step "Converting the Apple Certificate (.pem) to .p12 Format."

 

2) Yes, you can use the same GSX Cert in multiple Jamf Pro instances, HOWEVER, each instance will need its own, unique GSX user account (and Partner API Token).

dlondon
Valued Contributor

Hi @MLBZ521 is the "Sold-to account number" the same as "Customer Account Number"  Not seeing anything in MyAccess for

GSX Sold-to account number: #######
GSX Ship-to account number: #######

MLBZ521
Contributor III

Hey @dlondon, yes the `GSX Sold-to account number` is the same as `Customer Account Number` in MyAccess.

dlondon
Valued Contributor

Thanks @MLBZ521 
I just shot off my request but the automated response also mentioned the need to provide

Raw JSON request and response and full request and response headers
Raw XML request and response

Is that something you have seen seen?  I'm hoping it can be ignored

MLBZ521
Contributor III

@dlondon I think it can be if you are connecting this to Jamf Pro or at least specify that that is what you're doing.  This is the same method that would be used for AASPs when integrating GSX APIs into a proprietary POS system.

dlondon
Valued Contributor

Thanks @MLBZ521 got it working finally.  I was forgetting to change the pem received back from apple to p12 and the Jamf interface seemed to imply I could use a pem so kept failing.  Backtracked through the documentation mentioned above and realised my mistake.

Yeah......never trust Jamf.....

Glad the information was helpful to someone though!

dlondon
Valued Contributor

One thing that might not be so obvious is that whilst you can see the content of the pem cert received back from Apple in finder, when you convert it to p12 you cannot.  However if you import it to keychain it will prompt for the Export Password used when you converted to p12 and then you can see the full cert in keychain.

There's probably a way on the command line to do the same thing