How to implement JEA v2 profile with company PKI

Marek Meres
Tera Expert

Hello Community,

We want to use JEA for windows discovery following KB0965705 (Microsoft JEAv2 Profiles for Discovery) but instead of using self-signed certificates we need to use company PKI (to be built).

Our PKI SME told us we will need to create .csr from the MID server (so the subject CN=<name_of_MID_server>) which will be then used to issue a certificate by the PKI (so the Issuer will be the Issuing CA of the PKI).

I understand we will need to change the "retrieveSigningCert" function in the "JEAUtils.psm1" script on the MID server and also "initJEASession" in the "init1.ps1" script being part of the JEA profile to reflect these changed but...

The whole concept requires the public key to be distributed to the target windows servers while our PKI SME told us this should not happen as all Windows servers will trust MID server automatically.

I would appreciate some guidelines / help / experience on implementing the above KB with company PKI.

Thanks in advance!

1 ACCEPTED SOLUTION

ServiceNow Tec2
Mega Sage
This has been resolved by ServiceNow Technical Support. Please refer to KB0965705 (HI login required) for more information.

View solution in original post

6 REPLIES 6

Hi @ServiceNow Technical Support ,

could you maybe elaborate a little bit how the KB resolves the issues or provides an answer? We are facing the same issue (or a very similar one) and re-reading KB0965705 - doesn't really help. If we are using our PKI, the assumption in my team is that we don't need to 'manually' deploy the certs to all target systems as the endpoint should trust the code-signing certs implicitly. Yet the KB is silent on that - implicitly it requires an explicit deployment of the certs which is obviously less desirable.

Thanks,

Christian

jimmillet
Mega Guru

The KB KB0965705 is very light on step by step instructions when using "company PKI" certificate. Please provide more detail.