Help

same SSL certificate for internal and DMZ jss?

mallej
New Contributor III

Posted on ‎07-20-2017 02:21 AM

Hello,
do the certificates for internal and DMZ jss have to be the same?
At the moment our internal jss has only a self-signed certificate and we plan to install a DMZ jss with a Let’s Encrypt certificate.
Because Let’s Encrypt needs to update every 90 days or so and have to talk to the internet it´s not really possible to use the Let’s Encrypt certificate on the internal jss.

So, do the certificates for internal and DMZ jss have to be the same?
Is it ok to use an self-signed certificate for the internal jss and an Let’s Encrypt certificated on the DMZ jss?

Labels:
0 Kudos
Reply
2 REPLIES 2

davidacland
Honored Contributor II

Posted on ‎07-20-2017 03:23 AM

It depends on the security settings your using in the JSS. If it's set to require a valid cert (Computer Management > Security > Enable SSL certificate verification), this will stop devices checking in to the internal JSS.

If you have any iOS devices, they will have a problem.

It would be best to have a valid cert on both sides, or to direct all client devices to the DMZ JSS.

0 Kudos
Reply

mallej
New Contributor III

Posted on ‎07-20-2017 04:31 AM

Hi David,

yes, we want to have iOS devices.
At the moment our Setting is: SSL Certificate Verification: Always except during enrollment

So, what i understand, the best way for us (using Let’s Encrypt certificate) would be to use only the DMZ jss for client connections and to leave the internal jss "in the background".
Are there any drawbacks not using both jss (in Split DNS) for device connections?

0 Kudos
Reply