TomCat SSL Cert Change

s_oconnor
New Contributor III

Hey all,

I've been stuck on this for quite a few weeks. Our JSS servers were moved from one location to another. Since then we've had to redo numerous things. The last being TomCat. The boxes used to be behind a load balancer, now they are not. Anytime we navigate to our jss site, it says it is not secure over https and another issue is any policies with packages trying to push, fail due to it not being secure and not being able to make the connection.

If I go into TomCat and "Change the SSL certificate used for HTTPS" -> Next -> I've tried "Generate a certificate from the JSS's built-in CA. Restarted the box. No different

" Same steps as above, only this time, "Upload an existing SSL Certificate" -> our network guy pulled the cert we use for other servers. Anytime I try to upload, the second part where it asks for the password, it does not go through. This password works on everything else. Tried redownloading it from the site, same issue.

I'm stumped and am not sure how to get the new SSL cert up on the JSS Site. This is preventing policies/packages from pushing.

Any thoughts/help would be amazing :)

1 ACCEPTED SOLUTION

s_oconnor
New Contributor III

Alright, after way too many hours spent into this.

The issue seemed to be two part. The person at my company who generates certs had to use Crypto Shell to export out each part of the cert (Root, intermediate and actual cert) to .cer, I was then able to use that to generate the last part.

Here is the kicker, I was using this article: https://www.jamf.com/jamf-nation/articles/115/enabling-ssl-on-tomcat-with-a-public-certificate

After talking with a person at JAMF, they provided me an application that makes life soooo much easier. It is called "Simple SSL" no having to type things in terminal etc. Everything is done through the handy little application. It spits out a .p12 instead of .jks. Thanks so much to Alex at JAMF, made the process SOOO much better.

View solution in original post

21 REPLIES 21

MTFIDjamf
Contributor II

@sabrina.oconnor Are you trying to upload the .cer file in the upload step? If so, that will not work, you need to upload the .jks file that was created using the keytool utility in Java. The .jks file needs to be 'injected' with the .cer info, this process also uses the keytool utility. Do you know if you have the previous .jks file somewhere that was used for the Jamf server? If so, try to upload that file.

Keytool (on Windows server): C:Program FilesJavajrex.x.xin

Process for net new cert:
1. Create .jks with keytool.
2. Create CSR with the .jks file, also using keytool.
3. Request SSL cert with above CSR.
4. Once you have the .cer file it has to be injected into the .jks file using keytool (also any trusted CA's).
5. The .jks file is then uploaded into the jamf console.

s_oconnor
New Contributor III

Hey @MTurnerFMRCO

I've been using a pfx file, trying to manually upload on JSS (Tomcat). I know on the server (mac mini), if I follow the file path: JSS -> Tomcat....

23e0540d98cd4dcfb34488b8d1ecd516

There is quite a bit of files under there. One says "TomcatSSLKeystore" the other is "license" both just show as text documents. It looks like that was originally created in 2014.

I found this article earlier: https://www.jamf.com/jamf-nation/articles/115/enabling-ssl-on-tomcat-with-a-public-certificate

Minus the part about the keytool, it seems pretty straight forward. I'm guessing it would replace what is in the above folder (Tomcat).

allanp81
Valued Contributor

Might be worth checking your Java config? On our JSS that is hosted on Windows, I had to run the tomcat8w.exe util and make sure that Java settings were pointing at the jdk1.8 java virtual machine. It was set at 1.7 and wouldn't accept our password when trying to upload a signed certificate.

vinny83
New Contributor III

Hi @allanp81, just wanted to say thanks 6 years on from your comment above. I ran into this exact problem with our Windows Jamf Pro server this week. Ended up updating to latest Amazon Corretto Java version and pointed Tomcat to use that version and boom, Jamf Pro let me change the cert.

Nice one!

were_wulff
Valued Contributor II

@sabrina.oconnor

Have you gone to your SSL vendor's site and looked through their KBs for Tomcat installation instructions?

Each vendor's instructions for installing their certificate with Tomcat are usually slightly different, which is why our KB https://www.jamf.com/jamf-nation/articles/115/enabling-ssl-on-tomcat-with-a-public-certificate is pretty vague in terms of its instructions.

Your SSL certificate's vendor should have detailed instructions on how to get their cert working with Tomcat, so I'd definitely look there if you haven't already.

Were Wulff
Jamf Support

s_oconnor
New Contributor III

Here is where I'm stuck at now. @MTurnerFMRCO / @were.wulff / @allanp81

I got the .cem back from the CA (after giving them the .csr). We use AlphaSSL as a company. I had to inject the root & intermediate certificate into the .jks file (it was not happy with just the root). Then took that and combined it with the .cem from the CA. All commands from terminal said it worked for each step and was happy.

I then take that .jks file and try to upload it to Tomcat on the JSS URL. I choose HTTPS -> 3rd party -> upload file -> enter password -> it then says to choose the type of certificate, "Tomcat" "intermediate" or "root"

None of the above options work, I always get the following error:

9679f3abb1424a3196558dd67e437ef0

I've edited the server.xml file for Tomcat on the server to match the instructions from the above link. https://www.jamf.com/jamf-nation/articles/115/enabling-ssl-on-tomcat-with-a-public-certificate

I'm not sure why it will not accept the .jks file on the webportal. I'm at a loss.

Any ideas/experience with this?

were_wulff
Valued Contributor II

@sabrina.oconnor

I'd suggest using AlphaSSL's instructions for getting Tomcat to use their certificate and seeing if that helps, if the webapp is not accepting either a .jks or a .keystore file on the "Upload Keystore" step.

AlphaSSL's instructions can be found here: https://www.alphassl.com/support/install-ssl/tomcat.html

Were Wulff
Jamf Support

s_oconnor
New Contributor III

@were.wulff

I've tried uploading the root and intermediate cer file to the .jks. Said it was successful. Took that .jks file and tried JSS no go. Then tried a file where I combined the root and intermediate, same thing, didn't work

I was following the instructions: https://www.alphassl.com/support/install-root/tomcat.html

On the one you provided, the first two steps do not match. Root shows being injected into the .jks, however the second step is not intermediate. It is not happy without the intermediate file. Also the last step for the server.xml, I've tried comparing what the document has to what is in the file, no where in it is anything remotely similar (looked for Connector Classname, factory classname etc) since it does not exist, not sure if I need to manually enter it or not.

:sigh: I'm so over this whole process.

s_oconnor
New Contributor III

Alright, after way too many hours spent into this.

The issue seemed to be two part. The person at my company who generates certs had to use Crypto Shell to export out each part of the cert (Root, intermediate and actual cert) to .cer, I was then able to use that to generate the last part.

Here is the kicker, I was using this article: https://www.jamf.com/jamf-nation/articles/115/enabling-ssl-on-tomcat-with-a-public-certificate

After talking with a person at JAMF, they provided me an application that makes life soooo much easier. It is called "Simple SSL" no having to type things in terminal etc. Everything is done through the handy little application. It spits out a .p12 instead of .jks. Thanks so much to Alex at JAMF, made the process SOOO much better.

robby_c137
New Contributor III

@s.oconnor got a link to "Simple SSL"? Searches come up with nothing.

update: jamf support sent it to me. great tool.

Staples_Dennis
New Contributor

@JAMF Support, Could i get that tool also? thanks

ricotan
New Contributor

@JAMF support, could you send me this tool as well?

Thanks.

swapple
Contributor III

What version is the tool up to now? I got it back in 2016

ccsshelpdesk
New Contributor III

Any Chance I can get a copy as since we have uploaded out SSl Cert doing terminal all macs are reporting The Jamf binary could not connect to the JSS because the web certificate is not trusted.

And even deleting certs and re-adding via trustJSS does not work, or recon or re-enrol. We have even tried removemdmprofile and re-adding still the same issue.

help

jacomaree
New Contributor III

can anyone please send me a link to Simple SSL

CODJamf
New Contributor

Could use some help as well. After successfully adding a GD cert in the Apache Tomcat settings we're getting: "The jamf binary could not connect to the JSS because the web certificate is not trusted."

Not sure what I'm missing.

jose_torres3
New Contributor II

Ditto, can anyone please send me a link to Simple SSL?

cwaldrip
Valued Contributor

Wave... me too?

martenblank
New Contributor III

@JAMF could have use for the tool myself :) thanks!

man6
New Contributor II

@JAMF Support - may I please have the "Simple SSL" tool also? Thanks! :)

discounteggroll
New Contributor III

add me to the list of folks who'd like that simple ssl tool as well =)