Signing Certificate expired, how can i renew it?

dpratl
Contributor II

Hi JAMF nation,

The Cert: CN=JSS Built-In Signing Certificate, OU=FILEVAULT2COMM expired in my paternity leave and when i try to renew it i have only the possibility to revoke it in Settings -> Global Management -> PKI Certificate -> Jamf Pro Built-in CA.

 

Do i have a chance to renew that? Or do I have to create a new one, but that means to recreate all Recovery Keys, right?

 

Thank you very much.

BR
Daniel

1 ACCEPTED SOLUTION

dpratl
Contributor II

Hi @TheWarmAtlantic,

My ticket will be closed soon.

General answer from support: Certificates from the internal CA are managed automatically when they are in use.

We didn't use them, even we had one in a Configuration Profile:

Screenshot 2021-08-30 at 11.15.53.png

But in the same ConfProfile we set up the FileVault Personal Recovery Key Encryption Method to "Automatically" (red in the screenshot) - that means the Built In Cert is used automatically, not the one we have added to the ConfProfile:

Screenshot 2021-09-09 at 17.00.29.png

After removing the expired Cert from the ConfProfile and distributing to my Testclient a new Cert was shown:

Screenshot 2021-09-09 at 17.05.52.png

All seems to work, these certs didn't have any effect on our Macs.

I hope that helps

BR
Daniel

View solution in original post

6 REPLIES 6

TheWarmAtlantic
New Contributor III

TheWarmAtlantic_0-1628716301264.png

all 4 of these are about to expire for me and I can't find any documentation on how to renew them. so if you found out do let me know.

Hi @TheWarmAtlantic 

I have opened a support ticket for this, as soon as we get that problem solved I will post it here.

BR
Daniel

emilh
New Contributor III

@dpratl have you received any reponse to your ticket?
All the certificates listed by @TheWarmAtlantic above are expired for us as well.

Levi_
Contributor

I found this here on how to renew your certificates - https://docs.jamf.com/technical-articles/Renewing_Jamf_Pro_JSS_Built-In_Certificate_Authority_CA.htm...

If you are having problems with that I recommend contacting Jamf support to avoid any interruption as this would indeed be catastrophic. 

my built-in CA doesn't expire for another 5 years... these are signing certificates signed by that CA. it would be strange to have to renew the CA to renew a signing certificate.

dpratl
Contributor II

Hi @TheWarmAtlantic,

My ticket will be closed soon.

General answer from support: Certificates from the internal CA are managed automatically when they are in use.

We didn't use them, even we had one in a Configuration Profile:

Screenshot 2021-08-30 at 11.15.53.png

But in the same ConfProfile we set up the FileVault Personal Recovery Key Encryption Method to "Automatically" (red in the screenshot) - that means the Built In Cert is used automatically, not the one we have added to the ConfProfile:

Screenshot 2021-09-09 at 17.00.29.png

After removing the expired Cert from the ConfProfile and distributing to my Testclient a new Cert was shown:

Screenshot 2021-09-09 at 17.05.52.png

All seems to work, these certs didn't have any effect on our Macs.

I hope that helps

BR
Daniel

View solution in original post