I'm charged with standing up Jamf Pro on-prem and I need help understanding how internal Root and Intermediate certificates get deployed. Do these certificates have to be manually uploaded to Jamf Pro then distributed via configuration profile, or is there a way to do it via the AD CS connector?
Thanks for the help.
@jpsalamat Another option is to create a package which installs the certificates to a temporary directory then use a post-install script to trust each certificate:
###
# Certificate Functions
###
function deleteCert(){
certName="$1"
SHA1="$2"
/usr/bin/security delete-certificate -Z "${SHA1}" /Library/Keychains/System.keychain
echo "* Deleted ${certName} with SHA-1 hash: ${SHA1}"
/bin/sleep 1
}
function trustRootCert(){
certName="$1"
if [ -f /your/temporary/path/goes/here/"${certName}" ]; then
/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /your/temporary/path/goes/here/"${certName}"
echo "* Installed ${certName}"
else
echo "* Error: ${certName} not found in: /your/temporary/path/goes/here/"
fi
/bin/sleep 1
}
function trustCertAsRoot(){
certName="$1"
if [ -f /your/temporary/path/goes/here/"${certName}" ]; then
/usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /your/temporary/path/goes/here/"${certName}"
echo "* Installed ${certName}"
else
echo "* Error: ${certName} not found in: /your/temporary/path/goes/here/"
fi
/bin/sleep 1
}(NOTE: I have noticed this approach is throwing a new dialog in macOS Big Sur.)
Thanks, @dan-snelson, that may prove useful. In your suggestion, it sounds like I need to export the certs then upload them to Jamf to then be deployed. Am I correct? This is where I'm lacking understanding. Is it possible for Jamf to request the root and intermediates via the AD CS connector and PKI? My company's security team prefers a request versus a manual export then deployment.
I received the OK to upload the root and intermediates to the Jamf Pro server and deploy them via configuration profile.
@jpsalamat I've just done this myself; they are both marked as non-exportable, and I have set passwords on them in the configuration profile, but they can be exported / copied and imported onto another machine with no issue. Have you configured your profile in a way that prevents this ?
Nevermind; protecting them with a password doesn't prevent export, but they can't be imported on another machine, which is good enough.
Whats the difference here between 'trustRoot' and 'trustAsRoot'?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.