Skip to main content

I'm trying to push Certificate and set EAP and x.509 Basic Policy to Always Trust. I tried installing the cert and then modifying the settings, exporting the cert, then add it to a config profile but when deploying it, the settings never stick.

I also tried to push it via policy with PostInstall script: 

security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer" srm "/private/tmp/certs/certname.cer"

Also tried : security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer" srm "/private/tmp/certs/certname.cer"

All with no luck. Has anyone tried this or maybe have the knowledge to help?

 

Thanks

You need to push the certificate with a Configuration Profile and set it to be available to all applications. Apple retired the ability to force trust a certificate in CLI with macOS 11. Basically -k does nothing anymore.

You need to push the certificate with a Configuration Profile and set it to be available to all applications. Apple retired the ability to force trust a certificate in CLI with macOS 11. Basically -k does nothing anymore.


The method @AJPinto describes is the way we do ours. Our WiFi and Global Protect both use certificate based authentication. We distribute the certificates in a separate profile, specifically, the "auth" certificates. In the WiFi profile, we select this auth certificate in the Trust section.

Hi @AJPinto In my environment I have deployed the certificate with Configuration Profile and set it to be available to all applications.Only the root certificate is deployed as Always Trust. The intermediate & leaf certificate is deployed as Use System Defaults so users are being prompted to Trust the certificate when they join the WIFI network. Am I missing something or how can I make sure the users are not prompted? Thanks 

Hi @AJPinto In my environment I have deployed the certificate with Configuration Profile and set it to be available to all applications.Only the root certificate is deployed as Always Trust. The intermediate & leaf certificate is deployed as Use System Defaults so users are being prompted to Trust the certificate when they join the WIFI network. Am I missing something or how can I make sure the users are not prompted? Thanks 


If the user is manually selecting the network, I would wager they are having to tell macOS which certificate the need network needs and not necessarily trusting the certificate. The only method I can think of for totally hands off is to have the Wi-Fi network configured with a Configuration Profile where you specify the Certificate the network needs.

If the user is manually selecting the network, I would wager they are having to tell macOS which certificate the need network needs and not necessarily trusting the certificate. The only method I can think of for totally hands off is to have the Wi-Fi network configured with a Configuration Profile where you specify the Certificate the network needs.


Thanks for your reply. I can give this a try and deploy the WIFI settings and Certificates in one config profile

Reply


Terms & ConditionsCookie settings