Renewing Jamf Pro CA certificate chain

jtrant
Valued Contributor

Hello,

Has anyone who upgraded to 10.23.0 gone through the process of renewing the Jamf Pro CA certificate? Ours expires in 2026 but the certificates issued by the CA have a 5 year validity period and are expiring next year.

Based on the Jamf KB article it's as simple as clicking 'Renew' and the devices will automatically be issued with the new certificate via MDM push, but does this automatically update all of the configuration profiles on a Mac/iPad with the new JSS Built-in Signing Certificate used to sign the profiles?

Thanks in advance,
Justin.

4 REPLIES 4

jtrant
Valued Contributor

Anyone?

drhoten
Contributor II
Contributor II

Hello @jtrant

In Jamf Pro 10.23 only the device identity certificate in the MDM profile is renewed. This can be done by either renewing the built-in CA or independently for a group of one or more devices using a mass action in a smart group or advanced search.

To redistribute a configuration profile, you would need to manually edit the config proile and select the option for distributing the changes to all devices once it is saved.

jtrant
Valued Contributor

Thanks @drhoten, we renewed the CA this morning but only the CA itself renewed, none of the signing certificate expiration dates changed. The documentation states that all signing certificates are automatically renewed.

Does this only happen if they are set to expire within a certain time period? Ours are good until 10/2021 but we wanted to renew them well ahead of time as Jamf is not available outside of our network, and there are a number of clients that don't check in frequently.

Edit: The certs did renew based on the logs, but the UI still shows the old dates. New clients are still getting certs signed by the JSS signing cert that expires in 2021.

drhoten
Contributor II
Contributor II

Hello @jtrant

After the CA is renewed, devices are marked as needing a new MDM profile. The next time the device is sent another MDM command it is also sent a Renew MDM Profile command. This is so we are not sending new MDM profiles to all devices in your fleet at the same time, so it may take a while for the new device identity certificates to appear on devices.

Are you still setting new clients being signed by the the older signing certificate?