Jamf Nation Community

You can just generate a built in certificate from the jamf pro's built in CA (the second option) in your second screenshot, but that's not really advised anymore. Mobile devices won't trust your Jamf server by default, and any modern browser will throw warnings when you try to navigate to your jamf server.

I'd strongly advise following the links @Hugonaut posted, and moving to a 3rd party SSL cert. It's a little scary to do, but if you contact Jamf support they have a 3rd party utility called Simple SSL along with documentation on how to use that. It makes generating and importing the SSL cert really easy. In the long run, the move is well worth it, so I'd suggest taking the time to do this.

@DeployAdam If the built-in certificate is what has been used in the past and that is what exists on the already enrolled device, go ahead and renew that one.

To regenerate the tomcat certificates for "Built-in Certificate Authority" ONLY.

Let's go to Jamf Pro Settings > Apache Tomcat Settings: 1. Click Edit 2. Check "Change the SSL Certificate for HTTPS" and click Next 3. Check "Generate a certificate from the JSS's built-in CA and click Next 4. Click Done

Now we have to restart Tomcat: https://www.jamf.com/jamf-nation/articles/117/starting-and-stopping-tomcat

NOTE: What @float0n mentioned above is correct that Jamf recommends using a 3rd party/globally trusted SSL certificate vs the built in if possible.

Are going to stay with the built in certificate or move to a third party certificate?

Second moving to third party. We use DigiCert and they even coach you through doing a keystore if need be.

I deployed Let's Encrypt to secure our JAMF deploy. Happy to share the recipe.

Thank you all for your response

@ryan will the trust on the iMac clients automatically update themselves without a user accepting them? We have something like 2500 clients which need to keep working ;)

@blackholemac will change this in the near future

@Felipe.hernandez will migrate away from OS X Server for jamf Pro to a Linux environment, then we certainly will move away from the build-in CA

We’re you looking into a clustered environment? Because look at using ha proxy for a load balancer it’s free in a Linux box and then use easy encrypt for your ssl certificate

Sorry l meant let’s encrypt ssl for the ssl certificate

To all, still not bold enough to press the renew button...

will the trust on the iMac clients automatically update themselves without a user accepting them? We have something like 2500 clients which need to keep working

@DeployAdam I can understand the fear involved.

I’ve actually been in your boat and the switch to a third party cert went off without a hitch.

Basically what you are doing is replacing the Tomcat cert on the server. Certs do expire at some point even if you are on a third party one.

I’m assuming you are on self signed now. As long as you are providing a cert that is fully trusted by your server and clients, it doesn’t matter which cert it is the trust will be there.

That is why you would choose a third party signed one that Tomcat and clients both trust. You are just adding an additional new unexpired cert to your existing key store.

You get to decide but you should be fine going third party signed. If you want to confirm, call jamf but you should be good.

I'm in the same boat now and in the middle of device roll out.
If I want to proceed as is for now, can I select option 2: "Generate a certificate from the Jamf Pro's built-in CA" and address this properly when I have some downtime?

We have an SSL through DigiCert that we are having issues renewing because of IP re-routing issue and new "SSL Police" rules.

We have a domain consolidation that we had to work with when we rebuilt our server and made sure we did not have to re-enroll all f our devices.

We are kinda stuck

@kdspatio , would love to see your recipe! I'd like to try LetsEncrypt before paying for a cert. Non-Profit, Edu here.

@kdspatio me too! We've deployed Lets Encrypt, but have some problems renewing it after 3 months...