Help

Replacing the self-signed JSS certificate

lawpaugh
New Contributor

Posted on ‎07-05-2013 11:52 AM

Prior to enrolling an OSX client, if I update the Tomcat certificate with one from an internal Microsoft CA, does the client need to trust the Tomcat certificate to successfully enroll and get configuration profiles? Basically I'm replacing the certificate so that I don't get nagged about an untrusted website every time I go to the JSS admin page.

Under Global Device Management > Public Key Infrastructure, I'm using the Built-in Certificate Authority to encrypt messages between the JSS and clients.

0 Kudos
Reply
4 REPLIES 4

JRM
Contributor

Posted on ‎07-05-2013 02:38 PM

You should be safe as long as the computers are going to trust the new cert without any change to them. I'd double check with jamf support though.

The other thing I wanted to note is - you can tell your computer to trust the self signed cert. Unless you are using a lot of random computers to manage the jss, it's not usually worth the hassle. And if you are using managed machines - you could push the self-signed cert out as a trusted one using the jss and never have to worry on anything but an unmanaged system.

0 Kudos
Reply

jarednichols
Honored Contributor

Posted on ‎07-08-2013 12:47 PM

Yeah you don't want clients explicitly trusting the cert itself. You want them trusting the *root* cert which your tomcat cert is derived from. Explicitly trusting identity certs is a bad idea if you need to revoke it at some point.

0 Kudos
Reply

Chris_Hafner
Valued Contributor II

Posted on ‎07-09-2013 10:07 PM

+1 @ Jared. Your clients... ALL of them must recognize the root (I.e. Verisign, godaddy... Or whathaveyou etc) BEFORE you push the cert. just finished my second day of the CJA and we had a really lively discussion about what would happen if this isn't done and reverified. There are a few published extension attributes from JAMF as I recall to help you check on this... Sorry not to post a link, but I'm tired enough to have already had to fix several typos in this post and who knows what other stuff I've missed. One way or another, be very very happy that your not going to use the self signed cert any longer... Though you should really be changing it for reasons other than sheer annoyance ;-)

0 Kudos
Reply

JPDyson
Valued Contributor

Posted on ‎07-10-2013 05:31 AM

I have half-a-hunch that you work somewhere that has an internal CA (for digital signatures, authentication, SSL-enabled sites). That should be the authority by which your JSS cert is trusted.

0 Kudos
Reply