How to implement JEA v2 profile with company PKI

Marek Meres · ‎07-01-2022

Hello Community,

We want to use JEA for windows discovery following KB0965705 (Microsoft JEAv2 Profiles for Discovery) but instead of using self-signed certificates we need to use company PKI (to be built).

Our PKI SME told us we will need to create .csr from the MID server (so the subject CN=<name_of_MID_server>) which will be then used to issue a certificate by the PKI (so the Issuer will be the Issuing CA of the PKI).

I understand we will need to change the "retrieveSigningCert" function in the "JEAUtils.psm1" script on the MID server and also "initJEASession" in the "init1.ps1" script being part of the JEA profile to reflect these changed but...

The whole concept requires the public key to be distributed to the target windows servers while our PKI SME told us this should not happen as all Windows servers will trust MID server automatically.

I would appreciate some guidelines / help / experience on implementing the above KB with company PKI.

Thanks in advance!

ServiceNow Tec2 · ‎07-25-2022

This has been resolved by ServiceNow Technical Support. Please refer to KB0965705 (HI login required) for more information.

View solution in original post

Christian Probs · ‎07-27-2022

Hi @ServiceNow Technical Support ,

could you maybe elaborate a little bit how the KB resolves the issues or provides an answer? We are facing the same issue (or a very similar one) and re-reading KB0965705 - doesn't really help. If we are using our PKI, the assumption in my team is that we don't need to 'manually' deploy the certs to all target systems as the endpoint should trust the code-signing certs implicitly. Yet the KB is silent on that - implicitly it requires an explicit deployment of the certs which is obviously less desirable.

Thanks,

Christian

jimmillet · ‎02-13-2025

The KB KB0965705 is very light on step by step instructions when using "company PKI" certificate. Please provide more detail.