EDU Profile Installation Error for Incorrect Certificate Password

Updated: 12 October 2021
Product: Jamf Pro

Symptoms

For Jamf Pro on-premise environments with installations of OpenJDK 11.0.12 or later, the EDU profile installation may fail when pushing an EDU profile to devices (PI-010141). The EDU profile command fails with the following reason: "The password for the certificate "(null)" is incorrect."

Solution

Because OpenJDK 11.0.12 changed the default encryption used for PKCS12 identities, you must specify a JAVA_OPT system property using the -Dkeystore.pkcs12.legacy syntax to ensure encryption is supported on macOS and iOS.

Configuring the JAVA_OPTS System Property for Linux Using the System Command Line

  1. If you used the Jamf Pro Installer to install Jamf Pro, create a backup copy of the file that contains the Tomcat memory settings by executing the following command using the Linux command prompt:
    sudo cp /usr/local/jss/tomcat/bin/setenv.sh /usr/local/jss/tomcat/bin/setenv_backup.sh
  2. Open the file that contains the Tomcat memory settings.

    • If you used the Jamf Pro Installer to install Jamf Pro, execute: sudo nano /usr/local/jss/tomcat/bin/setenv.sh

    • If you did not use the Jamf Pro Installer to install Jamf Pro, create the setenv.sh file in the following location: /usr/local/jss/tomcat/bin/

  3. Append the JAVA_OPTS environment variable to the bottom of the setenv.sh file. For example: JAVA_OPTS="-Dkeystore.pkcs12.legacy"
    Note:

    Custom settings will persist after performing an upgrade.

  4. Save and close the file by pressing Control-O, and then Control-X.
  5. Restart Tomcat. The changes will take effect after Tomcat restarts.

    For instructions on how to restart Tomcat, see the Starting and Stopping Tomcat article.

Configuring the JAVA_OPTS System Property for Windows Using the Tomcat Monitor Application

  1. Open the Tomcat monitor application, located at: C:\Program Files\JSS\Tomcat\bin\tomcat8w.exe
  2. In the Apache Tomcat 8.5 Properties window, click the Java tab.
  3. Append the text in the Java Options field with "-Dkeystore.pkcs12.legacy", and then click Apply.
  4. Click the General tab, and then click the Stop and Start buttons to restart Tomcat and apply the changes.