Signing Certificate expired, how can i renew it?

dpratl
Contributor II

Hi JAMF nation,

The Cert: CN=JSS Built-In Signing Certificate, OU=FILEVAULT2COMM expired in my paternity leave and when i try to renew it i have only the possibility to revoke it in Settings -> Global Management -> PKI Certificate -> Jamf Pro Built-in CA.

 

Do i have a chance to renew that? Or do I have to create a new one, but that means to recreate all Recovery Keys, right?

 

Thank you very much.

BR
Daniel

1 ACCEPTED SOLUTION

dpratl
Contributor II

Hi @TheWarmAtlantic,

My ticket will be closed soon.

General answer from support: Certificates from the internal CA are managed automatically when they are in use.

We didn't use them, even we had one in a Configuration Profile:

Screenshot 2021-08-30 at 11.15.53.png

But in the same ConfProfile we set up the FileVault Personal Recovery Key Encryption Method to "Automatically" (red in the screenshot) - that means the Built In Cert is used automatically, not the one we have added to the ConfProfile:

Screenshot 2021-09-09 at 17.00.29.png

After removing the expired Cert from the ConfProfile and distributing to my Testclient a new Cert was shown:

Screenshot 2021-09-09 at 17.05.52.png

All seems to work, these certs didn't have any effect on our Macs.

I hope that helps

BR
Daniel

View solution in original post

7 REPLIES 7

TheWarmAtlantic
New Contributor III

TheWarmAtlantic_0-1628716301264.png

all 4 of these are about to expire for me and I can't find any documentation on how to renew them. so if you found out do let me know.

Hi @TheWarmAtlantic 

I have opened a support ticket for this, as soon as we get that problem solved I will post it here.

BR
Daniel

emilh
New Contributor III

@dpratl have you received any reponse to your ticket?
All the certificates listed by @TheWarmAtlantic above are expired for us as well.

Levi_
Contributor II

I found this here on how to renew your certificates - https://docs.jamf.com/technical-articles/Renewing_Jamf_Pro_JSS_Built-In_Certificate_Authority_CA.htm...

If you are having problems with that I recommend contacting Jamf support to avoid any interruption as this would indeed be catastrophic. 

my built-in CA doesn't expire for another 5 years... these are signing certificates signed by that CA. it would be strange to have to renew the CA to renew a signing certificate.

dpratl
Contributor II

Hi @TheWarmAtlantic,

My ticket will be closed soon.

General answer from support: Certificates from the internal CA are managed automatically when they are in use.

We didn't use them, even we had one in a Configuration Profile:

Screenshot 2021-08-30 at 11.15.53.png

But in the same ConfProfile we set up the FileVault Personal Recovery Key Encryption Method to "Automatically" (red in the screenshot) - that means the Built In Cert is used automatically, not the one we have added to the ConfProfile:

Screenshot 2021-09-09 at 17.00.29.png

After removing the expired Cert from the ConfProfile and distributing to my Testclient a new Cert was shown:

Screenshot 2021-09-09 at 17.05.52.png

All seems to work, these certs didn't have any effect on our Macs.

I hope that helps

BR
Daniel

bradtchapman
Valued Contributor II

This is probably going to impact a lot of Jamf customers soon, both on-prem and in Jamf Cloud.  They have a Product Issue where the FV2 signing certificate (used to escrow keys) expires 5 years after the Built-in CA was generated. 

PI-008323 - Configuration profiles created before the signing certificate expiration are not updated with a new FilevaultComm2 cert

Many of you created new profiles in 2017-2018 to account for changes in 10.13, APFS, and SecureToken.  Even today, you can deploy a profile with an expired certificate without any problems.  macOS and Jamf do not check the validity of certificates within the profile.  That's the admin's responsibility.

To complicate matters, in the Jamf Pro console, the certificate payload of the existing profile appears empty and awaiting configuration.  You have to edit the profile, then select Certificate, then click the Configure button.  Now you can see the expired cert AND a new blank entry.  (I'm calling this behavior a separate Jamf UI bug, since any cert attached to a profile should be displayed no matter what).

In short ... if you have upgraded to Jamf 10.31 or later, you have to generate a brand new configuration profile with the FileVault payloads in order to generate the new FV2 Escrow Cert.