Distributing individual certificates

What's making the certs? Can it do SCEP?

Microsoft Active Directory Certificate Services Certificate Authority, just saw an article about using Configuration Profiles to push them out, so this might be the way to go I think, but a little unsure, using that will import the cert into the keychain? I would then need to set the identity preference and it also needs a trusted cert for the issuing server.

We have self signed certs for our phone system, and use this to import it.. It's it a bit messy, but we don't have to change these certs very often.. I modified a loop someone wrote for cleaning the dock. To play with certs instead.

#!/bin/sh
CERTLIST=(“cert1.cer”,
“cert2.cer”,
“cert3.cer”,
)

for i in $certlist
do
CertName=`/bin/echo "$i" | /usr/bin/awk -F/ '{print $NF}' | /usr/bin/awk -F. '{print $1}'`

/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Library/Application Support/JAMF/certs "$i"
done

# Remove the certs from certs directory used in the import
rm -rf /Library/Application Support/JAMF/certs

exit 0

Cheers @bentoms getting there, the CA is there, but the AD cert is failing with "Unable to decrypt encrypted profile." looking into that now :)

@bentoms you ever had to assign an identity preference to the certificates? Have tried with a script, but as its run as root getting the common name is proving a real pain, tried $FULLNAME (as the common name is also the same as the users full name) but this fails with various errors Script result: security: No matching identity found for "" When I put the $FULLNAME in ""
Script result: security: No matching identity found for "$FULLNAME" When I put the $FULLNAME ''
Script result: security: No matching identity found for "/Users/myusername/Library/Keychains/login.keychain" When I put the $FULLNAME as it is

Any ideas?

@dwest, we only user computer level.

But try a user level profile & the variable $USERNAME.

Page 258 of the admin guide for 9.2 has a list of the variables you can use in config profiles.

http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.2-Administrators-Guide.pdf#page255

Thanks @bentoms but its the common name of the script variable we need, which is the same as the FULLNAME, I will have to see if I can change this common name to something else. Thanks for looking :)

@dwest, sorry missed the bit where your using a script.

Did profiles not work?

I guess you need to the username of the logged in user then.

Something like the below could be adapted;

# Get the username of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

@bentoms the profile loads the certificate, but then we need to assign an Identity Profile against it, the command is easy enough

security set-identity-preference -s https://vpn.domainname.net/ -c "Common Name" /Users/$USERNAME/Library/Keychains/login.keychain

Where Common Name is the certificate common name, so Firstname Lastname.

But when scripted the Common Name part fails as I mentioned above. I think I will investigate if we can create the certs with standard common names like "company_name" so we ditch the space which I think is really causing the issue.

@dwest, gotcha.

You might be able to put the common name in quotes.

But, using the username might work.

@bentoms got it sorted, incase this may help any others

# Get the current logged in user
consoleuser=`ls -l /dev/console | /usr/bin/cut -d " " -f 4`
# Get the current logged in full name, in this case that is the common name of our VPN certs
commonname=$(dscl . read /Users/$(ls -la /dev/console | cut -d " " -f 4) RealName |grep -v RealName |cut -c 2-)
#Add the Identity Preferance to the client certificate
/usr/bin/sudo -u $consoleuser security set-identity-preference -s "https://your.domain.name/" -c "$commonname"

@dwest, nice one!

@bentoms

how would you create a config. profile with a Certificate payload deploying the CA's certificate?