Renew GSX certificate step(s)

New Contributor III

I've inherited a JSS from someone else and see steps detailed in link below to set up a JSS - GSX connection but in our case we will be renewing it — 1) are those same steps needed for that?

Also 2) can the same GSX certificate once renewed be added to two JSSes?

Thanks for pointing me in the right direction...


Contributor III

(I know I'm responding to an old post, hopefully this will help someone at some point.)


1) Kinda.  I generate the CSR manually with (this is a copy of my internal documentation):

  1. Run the following command in a terminal:  
    openssl genrsa -aes256 -out privatekey.pem 2048
  2. When prompted, enter the passphrase for the private key. This is your secure passphrase and should not be shared with anyone
  3. Run the following command in a terminal:  
    openssl req -new -sha256 -key privatekey.pem -out certreq.csr
  4. Enter the following information when prompted:
    1. Passphrase used in earlier step
    2. Country Name (2 letter code) []
    3. State or Province Name (full name) []
    4. Locality Name (eg, city) []
    5. Organization Name (eg, company) []
    6. Organizational Unit Name (eg, section) []
    7. Common Name (eg, fully qualified host name) []:  
      1. In of format: <> or <>
      2. where XXXXXXXXXX is your company or organization's Apple-assigned Sold To number, including leading zeros
    8. Email Address []:
    9. Any challenge password:
  5. Zip the CSR file and to and CC your Apple account reps, and include the following information in the body of the email:
    1. Sold To & Ship To (account numbers): ####### / #######
      Environment you are attempting to access: GSX Documentation Access
      AppleID used for authentication: 
      API consumed: GSX
      GSX Sold-to account number: #######
      GSX Ship-to account number: #######
      Access recipient email address: 
      Requestor’s role: Jamf Pro Administrator
      Primary IT contact name: 
      Primary IT contact email: 
      Primary IT contact phone number: 
      Primary business contact name(s) for API related communications: 
      Primary business contact email address(es) for API related communications: 


After receiving the certs back from Apple, you can then follow the guide you linked, specifically the step "Converting the Apple Certificate (.pem) to .p12 Format."


2) Yes, you can use the same GSX Cert in multiple Jamf Pro instances, HOWEVER, each instance will need its own, unique GSX user account (and Partner API Token).

Valued Contributor

Hi @MLBZ521 is the "Sold-to account number" the same as "Customer Account Number"  Not seeing anything in MyAccess for

GSX Sold-to account number: #######
GSX Ship-to account number: #######

Contributor III

Hey @dlondon, yes the `GSX Sold-to account number` is the same as `Customer Account Number` in MyAccess.

Valued Contributor

Thanks @MLBZ521 
I just shot off my request but the automated response also mentioned the need to provide

Raw JSON request and response and full request and response headers
Raw XML request and response

Is that something you have seen seen?  I'm hoping it can be ignored

Contributor III

@dlondon I think it can be if you are connecting this to Jamf Pro or at least specify that that is what you're doing.  This is the same method that would be used for AASPs when integrating GSX APIs into a proprietary POS system.

Valued Contributor

Thanks @MLBZ521 got it working finally.  I was forgetting to change the pem received back from apple to p12 and the Jamf interface seemed to imply I could use a pem so kept failing.  Backtracked through the documentation mentioned above and realised my mistake.

Yeah......never trust Jamf.....

Glad the information was helpful to someone though!