Skip to main content
Solved

Configuration Profile Deployed Certificate Trust Levels?

  • March 14, 2012
  • 8 replies
  • 43 views
bentoms
Forum|alt.badge.img+35

Hi All,

We're looking at deploying our root ca cert & various other certs signed by this cert via Configuration Profile to our lion clients.

Anyway to set the trust level.. or something like the below need post profile deployment? If so, how do you handle this?

/usr/bin/security add-trusted-cert -d -r trustRoot -k

Best answer by jhbush

I just build a configuration profile with iPCU add my trusted certificates exported from Local Administrator account and trusted under it. I then use /usr/bin/profiles -I -F /tmp/mycompany.mobileconfig as a post flight script to install the profile. When these are installed at imaging time they come into the System keychain fully trusted. Thanks for pointing out that other script totally forgot that one.

    8 replies

    E
    Forum|alt.badge.img+5
    • evarona
    • Contributor
    • March 14, 2012

    Ran into the same issue as a total Mac n00b. I struggled with scripting command to get them into System Root so I ended up manually putting the roots in the image and creating a separate "Corporate" keychain for the intermediate CAs and push that as a package.

    Works well as long as I don't have to add a new root CA! ;-)

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Author
    • Hall of Fame
    • March 14, 2012

    Emil, theres a script in the resource kit call importCert.sh that will help the import.

    It's a shame that with configuration profiles we also need to do this.

    jhbush
    Forum|alt.badge.img+27
    • jhbush
    • Esteemed Contributor
    • Answer
    • March 15, 2012

    I just build a configuration profile with iPCU add my trusted certificates exported from Local Administrator account and trusted under it. I then use /usr/bin/profiles -I -F /tmp/mycompany.mobileconfig as a post flight script to install the profile. When these are installed at imaging time they come into the System keychain fully trusted. Thanks for pointing out that other script totally forgot that one.

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Author
    • Hall of Fame
    • May 1, 2012

    Anyway of replicating jason steps using the JSS config profiles?

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Author
    • Hall of Fame
    • May 1, 2012

    Many thanks Jason, I didn't process what you posted.. but it worked perfectly ty!..

    N
    Forum|alt.badge.img+19
    • nkalister
    • Contributor
    • May 1, 2012

    I use a package that runs at imagetime- it puts the root and intermediate certs in a temp location, installs them using the security command and then deletes the temp location.
    To get the intermediate cert to be trusted you need to switch the -r switch to trustAsRoot, so for that one the command would be:

    /usr/bin/security add-trusted-cert -d -r trustAsRoot -k
    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Author
    • Hall of Fame
    • May 1, 2012

    Thanks nick.. tbh my idea is to move away from scripting where possible & instead manage my macs via MCX or Config Profiles.

    K
    Forum|alt.badge.img+5
    • ksanborn
    • Contributor
    • March 31, 2016

    I'd like to deploy a cert and have it trusted. I am new to deploying certs to Macs and not sure how to accomplish what jhbush1973 has suggested. We basically have a cert that needs to be deployed to Macs and the cert needs to be trusted once it is deployed.

    Terms & ConditionsCookie settingsAccessibility statement