Google LDAP Certificate Troubleshooting

ETsavaris
New Contributor III

This one is for all of those wanting to issue the .p12 certificate to computers via Jamf Pro for Google LDAP Authentication with Jamf Connect.

 

I've recently performed an integration for a customer with Jamf Connect and their G-Suite tenant following the article provided here: https://learn.jamf.com/bundle/jamf-connect-documentation-current/page/Integrating_with_Google_Identi... 
and found that when attempting to issue the certificate via a configuration profile, I would get the error "the certificate could not be verified (authentication error)"

 

I ended up going down a long rabbit hole of troubleshooting that ended with having me attempt to install the certificate manually, which lead me to find that the password I created wasn't being accepted within keychain access.

This lead me to the following article going over an open issue with OpenSSL 3.x and it's deciphering issues:
https://stackoverflow.com/questions/70431528/mac-verification-failed-during-pkcs12-import-wrong-pass...

 

The solution for me was to append the -legacy flag to the command for creating the .p12 file in order to generate a certificate package that could be accepted on the endpoint. The modification looked like the below code:

openssl pkcs12 -export -legacy -out /path/to/generated/keystore.p12 -inkey /path/to/saved/privatekey.key -in /path/to/saved/certificate.crt

This newly generated Certificate payload was accepted both manually and through the configuration profile immediately.

 

Additional Context:

My testing utilized Jamf Connect 2.28.0 and MacOS 13.6.

1 ACCEPTED SOLUTION

AleRosmo
New Contributor II

Thank you a lot, this was of invaluable help!

View solution in original post

4 REPLIES 4

AleRosmo
New Contributor II

Thank you a lot, this was of invaluable help!

mike_prather
New Contributor II

Yes!  Saved my bacon!  Had a ticket open with Jamf for the cert issues I was having so hopefully they update the docs with this info soon.

Raph_Jamf
New Contributor

hi

-legacy option is no longer available with openssl version on macOS it seems 

/usr/bin/openssl version

LibreSSL 3.3.6

any idea to make this work now ? 

Might have to get brew and install openssl@3.0 (v3.0.15) or openssl@3 (v3.4.0)