Deploying certificates

sorry to resurrect this old thread,but still is helpful in a new environment I'm at.

When i initially requested this we had no access to Casper or anything, even Server was limited and didn't test much. but once we deployed Casper and got these systems on a domain setting they seemed to be okay, the certs were delivered via Config profile and whatever we used at the time for signing certs (in the JSS?) seemed to do the trick.

But what I'm understanding is that you could ultimately use Server to build a config profile, and send that out via ARD or something and it work the same way?

@SQR i think i know the issue

security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certificate.cer"

it should be trustRoot not trustAsRoot

The correct syntax is without the first set of quotes. The quotes only go on the path to the certificate you want to install.

security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "/private/tmp/certs/certificate.cer"

This thread helped me a lot while troubleshooting my own Root Cert issue. Here is a suggestion from my experience. It might help someone who is in the same situation as mine.

My Situation: - I had a bunch of Root Certs and Intermediate Certs that needed to be added in the system Keychain as trusted certs
- I have found that my Root Cert Server doesn't issue certs. It's turned off. So, only trusting them is not helpful.
- My Intermediate cert servers are acting as root cert. So, these certs need to be trusted as well

My solution:
1. I have packaged up all the certs (.cer files) in the composer.
2. Wrote a script to add the certs after extracting the .cer files 3. Created a policy to deploy the certs.

The most useful info is: While deploying the Root Cert use this command: /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "/private/tmp/certs/RootCertificate.cer"

While deploying the Intermediate Cert, use this command:
/usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "/private/tmp/certs/IntermCertificate.cer"

If you don't use "trustAsRoot" for intermediate certs while the root cert server is turned off, You won't get them as "Always Trust"

Hope it helps thanks.

Hi All,

This thread has certainly helped me understand what is going on and what it takes to get this going.

But i'm running into an issue when issuing a new CA. First I tried to create a new Configuration Profile that housed the new intermediate certification authority, it pushed to the machines and installed in the system keychain. Problem is, it's not trusted. I read that because the Configuration Profile isn't signed, it's going to be set to system defaults.

So i fired up Apple Configurator and created a Configuration Profile there and singed it with our Apple Worldwide Developer Relations Certification Authority cert. Still not setting the trust settings to always trust.

Is there anyway i can do this without building a package and scripting the trust settings changes?

Thanks in advance!

Edit:
I suspect that this is happening because it's not a root certificate?

@LovelessinSEA you need the full chain of trust. Is your intermediate cert signed by a public CA or an internal one? If the intermediate cert that you are installing is signed by an untrusted root CA, then the intermediate will show up as untrusted. You will need to make sure that the root is in the system keychain and trusted if you want the intermediate to be trusted. No need to manually install trust settings unless you cannot deploy the root ca.