Luckily with SecureW2, you can easily set up your own cloud PKI without needing to overhaul your entire network infrastructure. Microsoft AD CS won’t work without the on-premise Active Directory.
Many admins looking to transition to Azure are unsure how to implement a PKI in the cloud, or if it’s even possible.
If you would like to learn more about AD CS this article provides detailed explanations on the topic. Different types of devices require different methods of enrollment, including BYODs and Managed Devices. The key to widespread implementation is using the best practices for AD CS configuration available to easily and securely enroll certificates onto devices. Many organizations are wanting to migrate to the cloud to start implementing certificate-based solutions, but Microsoft AD environments are having a hard time making the transition. In this case, Apache has been configured with the filesystem path of the Let’s Encrypt certificate files and is able to use them without additional importing into Java or other services.Digital certificates are starting to take over as the preferred method of network authentication because of their proven superiority to passwords in security and user experience. I’ve also leveraged the same Let’s Encrypt-issued certificate to provide an Apache-hosted HTTPS local distribution point for this server. Tomcat needs to be started as part of the renewal process because the certificate in the Java keystore is being changed out for the new certificate, but the script handles that as well.
I’ve been using this script on a development Jamf Pro server myself for over a year and it works pretty well with the host OS (CentOS 7.x.) The script renews the certificate with Let’s Encrypt’s certificate authority on a scheduled basis and automatically updates the Java keystone with the new certificate for Tomcat to detect and use. While Jamf Pro does not natively include functionality for using and renewing Let’s Encrypt-issued certificates, there is at least one script available on GitHub for using Let’s Encrypt certificates with a Jamf Pro server:
This is a free service which will issue free publicly trusted certificates that are valid for 90 days before needing to be renewed.
One way to get those is to use the Let’s Encrypt certificate authority. The JSS built-in CA will maintain its current ability to manually issue server certificates to other servers.įor shops which use Jamf Pro’s built-in certificate authority to create the SSL certificate used by the Tomcat web application, this means that at some point in the near(ish) future, you will need to plan to use a certificate for your Jamf Pro server which is no longer being issued by your Jamf Pro server’s built-in certificate authority.įor more details, please see below the jump.Īs part of the deprecation notes, Jamf recommends a switch to a publicly trusted certificate for Tomcat. If needed, a Tomcat SSL/TLS server certificate for Jamf Pro may be issued from an internal certificate authority. This will prevent the potential loss of MDM communication from Jamf Pro to enrolled devices. The release version for this change has not been determined.īefore this change occurs, it is recommended that all on-premise Jamf Pro instances leveraging this functionality switch to a publicly trusted third-party CA to issue the Tomcat SSL/TLS certificate.
As part of the release of Jamf Pro 10.30, the following entry was added to the Deprecations section of the Jamf Pro Release Notes:įunctionality to issue the Tomcat SSL/TLS certificate from Jamf Pro’s built-in certificate authority - Jamf Pro’s functionality to issue the Tomcat SSL/TLS certificate from the JSS built-in certificate authority (CA) will be discontinued in a future release of Jamf Pro.