Hello all,
I am trying to automate our VPN deployment, and so far I have got the software installing ok, adding the certificates correctly is a work in progress, although I can do it all via the command line with the user adding their password to allow access to their keychain.
Next thing I need to try and work out is getting individual certificates onto each users machine, one way is individual pkg for each user, but this is a bit messy. While writing I have thought I could maybe script mounting a share and copying a file with $USERNAME maybe? Importing it then deleting it.
Any ideas on how I could achieve this? We are using F5 ssl certificate authentication.
Thanks
Dave
What's making the certs? Can it do SCEP?
Microsoft Active Directory Certificate Services Certificate Authority, just saw an article about using Configuration Profiles to push them out, so this might be the way to go I think, but a little unsure, using that will import the cert into the keychain? I would then need to set the identity preference and it also needs a trusted cert for the issuing server.
We have self signed certs for our phone system, and use this to import it.. It's it a bit messy, but we don't have to change these certs very often.. I modified a loop someone wrote for cleaning the dock. To play with certs instead.
#!/bin/sh
CERTLIST=(“cert1.cer”,
“cert2.cer”,
“cert3.cer”,
)
for i in $certlist
do
CertName=`/bin/echo "$i" | /usr/bin/awk -F/ '{print $NF}' | /usr/bin/awk -F. '{print $1}'`
/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Library/Application Support/JAMF/certs "$i"
done
# Remove the certs from certs directory used in the import
rm -rf /Library/Application Support/JAMF/certs
exit 0
@dwest, this can all be done with 2 config profiles:
- One profile with a Certificate payload deploying the CA's certificate
- Second profile with a AD Certificate payload for the AD certificate request
We've done that for a few years, works well.
Cheers @bentoms getting there, the CA is there, but the AD cert is failing with "Unable to decrypt encrypted profile." looking into that now :)
@bentoms you ever had to assign an identity preference to the certificates? Have tried with a script, but as its run as root getting the common name is proving a real pain, tried $FULLNAME (as the common name is also the same as the users full name) but this fails with various errors
Script result: security: No matching identity found for "" When I put the $FULLNAME in ""
Script result: security: No matching identity found for "$FULLNAME" When I put the $FULLNAME ''
Script result: security: No matching identity found for "/Users/myusername/Library/Keychains/login.keychain" When I put the $FULLNAME as it is
Any ideas?
@dwest, we only user computer level.
But try a user level profile & the variable $USERNAME.
Page 258 of the admin guide for 9.2 has a list of the variables you can use in config profiles.
http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.2-Administrators-Guide.pdf#page255
Thanks @bentoms but its the common name of the script variable we need, which is the same as the FULLNAME, I will have to see if I can change this common name to something else. Thanks for looking :)
@dwest, sorry missed the bit where your using a script.
Did profiles not work?
I guess you need to the username of the logged in user then.
Something like the below could be adapted;
# Get the username of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
@bentoms the profile loads the certificate, but then we need to assign an Identity Profile against it, the command is easy enough
security set-identity-preference -s https://vpn.domainname.net/ -c "Common Name" /Users/$USERNAME/Library/Keychains/login.keychain
Where Common Name is the certificate common name, so Firstname Lastname.
But when scripted the Common Name part fails as I mentioned above. I think I will investigate if we can create the certs with standard common names like "company_name" so we ditch the space which I think is really causing the issue.
@dwest, gotcha.
You might be able to put the common name in quotes.
But, using the username might work.
@bentoms got it sorted, incase this may help any others
# Get the current logged in user
consoleuser=`ls -l /dev/console | /usr/bin/cut -d " " -f 4`
# Get the current logged in full name, in this case that is the common name of our VPN certs
commonname=$(dscl . read /Users/$(ls -la /dev/console | cut -d " " -f 4) RealName |grep -v RealName |cut -c 2-)
#Add the Identity Preferance to the client certificate
/usr/bin/sudo -u $consoleuser security set-identity-preference -s "https://your.domain.name/" -c "$commonname"
@bentoms
how would you create a config. profile with a Certificate payload deploying the CA's certificate?
