Jamf Nation Community

I was working with JAMF Support on a similar issue yesterday. Here's the instructions they gave me:

On your 9.11 JSS, go to JSS >> Settings >> Apache Tomcat Settings >> Edit >> Change the SSL certificate used for HTTPS >> Generate a certificate from the JSS's built-in CA

Once that's done, restart Tomcat to have it to load the certificate.

For your clients, you may need to run the following commands after the Tomcat restart to ensure they pick up the new certificate:

sudo jamf manage
sudo jamf recon

Similar issue when changing the management url and host on 8.71.

Could you please update if these steps are successful.

I guess I should clarify. I have already got SSL working for the Web interface by getting a public wildcard cert in "Apache Tomcat Settings".

Specifically I was concerned about the fact that the cert. I get if I go

Global Management > PKI > Download CA Certificate

I get a certificate created in 2011 on the old host. :( And there doesn't appear to be any way to create a new one in the gui. Will send an email to my guy and update here.

Here are the steps I used to get a new public cert. working for the web interface of the JSS. Orginally I was following the old doc.

https://jamfnation.jamfsoftware.com/article.html?id=115

without noticing "Versions affected". I figured it wouldn't be a problem though as after setting up the keystore the old way I figured I could just import it via the gui. This didn't work.

So I followed the new procedure

https://jamfnation.jamfsoftware.com/article.html?id=138

But...

1.) it doesn't tell you how to use openssl to generate a key and a CSR and
2.) it doesn't tell you how to get a ca bundle that will work.

Here is what I did. I didn't document all the errors and output etc. because I was getting fairly annoyed at this point... ;)

### Create Keystore and CSR ###

• cd /usr/local/jss/tomcat/
• openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
• get cert from CA and put it somewhere on remote machine
• openssl x509 -text -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem >> ca-bundle.crt
• openssl x509 -text -in DigiCertCA.crt >> ca-bundle.crt
• openssl pkcs12 -export -in star_glenbrook225_org.crt -inkey /usr/local/jss/tomcat/privateKey.key -out jss.p12 -name tomcat -CAfile ca-bundle.crt -caname root -chain
• import into JSS via html GUI

I was told by support the URI on the built in CA root (which refers to the previous hostname) is not currently used. However I don't feel good about it having the previous host name in this field.

Also I'm not sure how to go about replacing the built in CA root without breaking MDM.

Interesting...

We are in a similar situation, and I just discovered this thread. It's not clear how you resolved things. Did you ever find a way to generate a new built-in CA cert?

We had that issue when we try changing names on our DEV environment.

Warning!!! Don't do this on a production environment. Test and test everything on a DEV environment first (we had issues with MDM/Configuration Profiles after this change).
This test has been done long time ago on v8.xx so check with your account manager first and get the recommended steps from them.

https://jamfnation.jamfsoftware.com/discussion.html?id=6487#responseChild33649

System Settings -> Apache Tomcat Settings -> Edit -> Change the SSL certificate for HTTPS

@nessts
We are talking about the URI on JSS Built-in Certificate Authority (CA).

Correct Kumarasinghe.

In our case we backed up our production database and restored it to a new (test) server, so we would have some data to work with. Of course the certs and everything came with it, so that's why I'm looking at this.

Fortunately, since it's a test jss, we have some flexibility to tinker.

Thanks!

Hi all.
I've hit the same problem mentioned in this post.
I had to rebuilt my JSS server from scratch. I restored the MySQL database and now I'd like to reset the internal CA.
In the PKI settings there isn't any option to rebuild it. Do I have to follow [https://jamfnation.jamfsoftware.com/article.html?id=115](THIS) procedure?
Thanks to all.

Jack