Updating Built-in CA cert in 9.x?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2013 08:06 AM
So I have just finished moving my JSS and distribution points from OS X to Ubuntu servers.
I also used this opportunity to move from 8.71 to 9.1 and then 9.11. All the settings are modified, everything looks good except for one thing...
My production environment has the hostname oldcasper.domain.org and the new one is just casper.domain.org. Problem is the URI in the CA cert. for PKI still shows the old host.
How do I generate a new one?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2013 08:11 AM
go to the settings area
system settings
apache tomcat settings
delete then create a new one
I think.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2013 08:44 AM
I was working with JAMF Support on a similar issue yesterday. Here's the instructions they gave me:
On your 9.11 JSS, go to JSS >> Settings >> Apache Tomcat Settings >> Edit >> Change the SSL certificate used for HTTPS >> Generate a certificate from the JSS's built-in CA
Once that's done, restart Tomcat to have it to load the certificate.
For your clients, you may need to run the following commands after the Tomcat restart to ensure they pick up the new certificate:
sudo jamf manage
sudo jamf recon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2013 11:21 AM
Similar issue when changing the management url and host on 8.71.
Could you please update if these steps are successful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2013 12:13 PM
I guess I should clarify. I have already got SSL working for the Web interface by getting a public wildcard cert in "Apache Tomcat Settings".
Specifically I was concerned about the fact that the cert. I get if I go
Global Management > PKI > Download CA Certificate
I get a certificate created in 2011 on the old host. :( And there doesn't appear to be any way to create a new one in the gui. Will send an email to my guy and update here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2013 12:13 PM
Here are the steps I used to get a new public cert. working for the web interface of the JSS. Orginally I was following the old doc.
https://jamfnation.jamfsoftware.com/article.html?id=115
without noticing "Versions affected". I figured it wouldn't be a problem though as after setting up the keystore the old way I figured I could just import it via the gui. This didn't work.
So I followed the new procedure
https://jamfnation.jamfsoftware.com/article.html?id=138
But...
1.) it doesn't tell you how to use openssl to generate a key and a CSR and
2.) it doesn't tell you how to get a ca bundle that will work.
Here is what I did. I didn't document all the errors and output etc. because I was getting fairly annoyed at this point... ;)
### Create Keystore and CSR ###
- cd /usr/local/jss/tomcat/
- openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
- get cert from CA and put it somewhere on remote machine
- openssl x509 -text -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem >> ca-bundle.crt
- openssl x509 -text -in DigiCertCA.crt >> ca-bundle.crt
- openssl pkcs12 -export -in star_glenbrook225_org.crt -inkey /usr/local/jss/tomcat/privateKey.key -out jss.p12 -name tomcat -CAfile ca-bundle.crt -caname root -chain
- import into JSS via html GUI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2013 12:20 PM
I was told by support the URI on the built in CA root (which refers to the previous hostname) is not currently used. However I don't feel good about it having the previous host name in this field.
Also I'm not sure how to go about replacing the built in CA root without breaking MDM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-27-2013 12:32 PM
Interesting...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-22-2014 05:10 PM
We are in a similar situation, and I just discovered this thread. It's not clear how you resolved things. Did you ever find a way to generate a new built-in CA cert?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-22-2014 06:18 PM
We had that issue when we try changing names on our DEV environment.
Warning!!! Don't do this on a production environment. Test and test everything on a DEV environment first (we had issues with MDM/Configuration Profiles after this change).
This test has been done long time ago on v8.xx so check with your account manager first and get the recommended steps from them.
https://jamfnation.jamfsoftware.com/discussion.html?id=6487#responseChild33649
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-22-2014 06:32 PM
System Settings -> Apache Tomcat Settings -> Edit -> Change the SSL certificate for HTTPS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-22-2014 07:13 PM
@nessts
We are talking about the URI on JSS Built-in Certificate Authority (CA).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2014 11:33 AM
Correct Kumarasinghe.
In our case we backed up our production database and restored it to a new (test) server, so we would have some data to work with. Of course the certs and everything came with it, so that's why I'm looking at this.
Fortunately, since it's a test jss, we have some flexibility to tinker.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-22-2015 08:22 AM
Hi all.
I've hit the same problem mentioned in this post.
I had to rebuilt my JSS server from scratch. I restored the MySQL database and now I'd like to reset the internal CA.
In the PKI settings there isn't any option to rebuild it. Do I have to follow [https://jamfnation.jamfsoftware.com/article.html?id=115](THIS) procedure?
Thanks to all.
Jack