Creating GSX SSL keys for Jamf with OpenSSL

GSX’s API requires authentication via an Apple-signed client SSL certificate. Jamf has an automatic CSR generator, but it’s valuable to do these steps with openssl instead: you get a backup of the key and get experience with generating certificate requests by hand.

Before you start, collect your Sold To number from GSX, including all the leading zeros.

Open Terminal and follow these steps to create a certificate request:

 1mkdir ~/gsx-certs; cd ~/gsx-certs
 2
 3# generate a key pair
 4openssl genrsa -aes256 -out gsx-key.pem 2048
 5# enter a passphrase for the key when prompted
 6
 7# now generate a certificate request with the key
 8openssl req -new -sha256 -key gsx-key.pem -out gsx.csr
 9
10# fill in the following fields:
11# - Passphrase used in earlier step
12# - Country code (2 digits), eg, US
13# - State or Province (full name), eg, Michigan
14# - City or locality (full name), eg, Ann Arbor
15# - Company name (can not be Apple), eg, WidgetCorp
16# - Common Name (fully qualified host name) in format:
17#     AppleCare-Partner-XXXXXXXXXX.Prod.apple.com,
18#     where XXXXXXXXXX is your company or organization's Apple-assigned
19#     Sold To number, including leading zeros
20# - Your email address
21# - Challenge password can be blank

E-mail the gsx.csr file to GSX’s web services team, gsxws@apple.com. Also note that Apple needs to specifically allow-list your IP addresses, so provide any egress addresses your Jamf instance will use. In a day or so you will get back a pem file.

You now need to combine the pem file from Apple with the gsx-key.pem file. Drop it in the gsx-certs folder in your home directory, then open Terminal and run:

1openssl pkcs12 -export \
2   -in AppleCare-Partner-[digits].Prod.apple.com.cert.pem \
3   -inkey gsx-key.pem \
4   -out jamf-gsx.p12

Don’t use an overly complicated password, Jamf may hiccup.

You can then just need to upload the new jamf-gsx.p12 file to Jamf’s GSX’s integration.

Hope that helps!