JSS CA Private Key and SSO

MBruno
New Contributor II

Hello Everyone,

I am having an issue at my company with certain internal web sites using single sign on. When you navigate to the site it attempts to authenticate using a private key stored in the keychain when it should not, and it obviously fails. The private key its trying to access appears to be assigned from the JSS CA as it has the exact same name as the JSS certificate.

The only way I have found to resolve this is to delete that private key. When I do that the users can log onto the internal sites they need and can authenticate via SSO as intended.

My question is will there be any negative effects for the user if this key is removed? And has anyone had similar issues with sights interfering with certs/keys passed down by the JSS CA?

Thanks in advance.

1 REPLY 1

mrben
New Contributor III

Hi @MBruno,

If your clients are checking into the JSS through a load balancer that handles TLS/SSL then you do not need the key or the CA cert. It's really only used for mutual authentication (client certificates) between endpoints and the JSS. At my current company, we have an ELB in front of the JSS so the CA certificate and private key can be discarded (we have not removed it though some employees have expressed concern about a new CA being installed to their keychain). When you do this, your configuration profiles will not longer appear as "verified" but they will continue to work.

Now, the reason you are seeing these popups on internal sites is because of the configuration of your organization's webserver(s). If the websites are not designed for client authentication, then ask whomever is responsible to disable that option. If the setting is intended and you do not want to mess w/ the JSS-supplied cert/key, there are some command-line options to pin a specific certificate to a domain.