Jamf Nation Community

mallej · ‎07-20-2017

Hello,
do the certificates for internal and DMZ jss have to be the same?
At the moment our internal jss has only a self-signed certificate and we plan to install a DMZ jss with a Let’s Encrypt certificate.
Because Let’s Encrypt needs to update every 90 days or so and have to talk to the internet it´s not really possible to use the Let’s Encrypt certificate on the internal jss.

So, do the certificates for internal and DMZ jss have to be the same?
Is it ok to use an self-signed certificate for the internal jss and an Let’s Encrypt certificated on the DMZ jss?

davidacland · ‎07-20-2017

It depends on the security settings your using in the JSS. If it's set to require a valid cert (Computer Management > Security > Enable SSL certificate verification), this will stop devices checking in to the internal JSS.

If you have any iOS devices, they will have a problem.

It would be best to have a valid cert on both sides, or to direct all client devices to the DMZ JSS.

mallej · ‎07-20-2017

Hi David,

yes, we want to have iOS devices.
At the moment our Setting is: SSL Certificate Verification: Always except during enrollment

So, what i understand, the best way for us (using Let’s Encrypt certificate) would be to use only the DMZ jss for client connections and to leave the internal jss "in the background".
Are there any drawbacks not using both jss (in Split DNS) for device connections?

Jamf Nation Community

same SSL certificate for internal and DMZ jss?