Renewing the Jamf Pro JSS Built-In Certificate Authority (CA)
(On-premise environments only) Jamf Pro recommends using a publicly trusted SSL/TLS certificate for Tomcat. If you are using a Tomcat SSL/TLS certificate issued from Jamf Pro's built-in certificate authority (CA), you must transition to a trusted certificate before renewing Jamf Pro's built-in CA, or you will lose MDM communication with enrolled iOS devices. If you want to move from an SSL/TLS certificate issued from Jamf Pro's built-in CA to an SSL/TLS certificate issued from a third-party CA, see the Enabling SSL on Tomcat with a Public Certificate article.
If it is not possible for you to leverage a third-party external Tomcat SSL/TLS certificate in your environment, contact Jamf Support for assistance.
Jamf Pro 10.23.0 or later
- In Jamf Pro, click Settings
in the top-right corner of the page.
- In the Global section, click PKI certificates
.
- Click a number in the All column. A list of corresponding certificates will be displayed.
- Click the certificate with the "Jamf Pro JSS Built-in Certificate Authority" subject to view the certificate details.
- Click Renew and confirm the renewal.
- (Optional) Verify the new expiration date.
- Refresh the page. The renewal status is displayed in Jamf Pro Notifications and an email is sent if email notifications are enabled for your account.
When the built-in CA renewal fails, do not trigger the process again. If the expiration date is not extended or you notice issues with the renewed CA (for example, Jamf Pro cannot communicate with managed computers or mobile devices), contact Jamf Support.
Automatic Renewal of MDM Profiles
The validity period of the CA certificate displayed on mobile devices does not update after the MDM profile is renewed following a CA certificate renewal. This is a display issue that does not affect functionality. Jamf recommends that you view all CA certificate information in Jamf Pro, including the validity period.
To monitor which MDM profiles are not renewed, Jamf recommends that you create a smart computer or mobile device group and set the MDM Profile Renewal Needed – CA Renewed search criteria value to Yes.
For more information, see MDM Profile Settings in the Jamf Pro Documentation.
Further considerations
- Renewing the built-in CA may affect integrations that use the built-in CA itself or certificates created from a CSR that was signed by the CA. These certificates may need to be re-issued.
The affected integrations may include:
- HTTPS file share distribution point configuration
- Signing custom configuration profiles
- SCCM (System Center Configuration Manager) plugin.
- When Apple Education Support is enabled in your environment, renewing the built-in CA causes existing EDU profiles to be redistributed. This may increase network traffic.