@astrugatch Thanks for pointing us to JAMF as example for CA/cert management with clients. It’s been a while but I had this on my list of things to do/check and now I got to it.
JAMF can be setup to use different CAs/certs: https://docs.jamf.com/10.0.0/jamf-pro/administrator-guide/PKI_Certificates.html
That page led me to the so called Simple Certificate Enrollment Protocol (SCEP) which does handle some of the things that come with certificates. But the initial problem of establishing a CA trust is still the same - described in section 5.5:
Before any transaction begins, end entities have to get the CA (and possibly RA) certificate(s) first. Since the requester may have no CA certificates or CA public keys at all, this message can not be encrypted and the response must be authenticated by out-of-band means.
[…]
If the requester does not have a certificate path to a trusted CA certificate, this fingerprint may be used to verify the certificate, by some positive out-of-band means, such as a phone call.
Let’s assume the situation where the clients already trust the built-in self-signed FOG server certificate. We could use that to establish a trusted communication channel and send the new CA certificate to the clients and tell them to install and trust it. Definitely a possible route. But what about clients that are switched off at that moment? We would need allow clients to use both CA trusts over a period of time till all of them have moved to the new one. This is definitely possible but complex to implement and I wouldn’t find the time although I find it interesting and challenging.
Trying to digg a little deeper if and how JAMF has solved the above mentioned trust problem when moving from one CA to another I found those notes in the manual:
Note: By default, Jamf Pro uses the signing and CA certificates for the Jamf Pro built-in CA. You must replace these certificates with the ones for the external CA when you initially set up the integration.
and
Note: If you need to make changes to your organizational or third-party CA in Jamf Pro, it is recommended that you contact your Jamf account representative. Changes to the PKI could lead to re-enrolling the mobile devices in your environment.
Now let’s look at the other situation where no clients have been pinned to the FOG server yet. If you re-compile the client to check on a different name in the CA cert you can happily use external CA certs without an issue.
