Posted on 10-12-2023 09:54 AM
This one is for all of those wanting to issue the .p12 certificate to computers via Jamf Pro for Google LDAP Authentication with Jamf Connect.
I've recently performed an integration for a customer with Jamf Connect and their G-Suite tenant following the article provided here: https://learn.jamf.com/bundle/jamf-connect-documentation-current/page/Integrating_with_Google_Identi...
and found that when attempting to issue the certificate via a configuration profile, I would get the error "the certificate could not be verified (authentication error)"
I ended up going down a long rabbit hole of troubleshooting that ended with having me attempt to install the certificate manually, which lead me to find that the password I created wasn't being accepted within keychain access.
This lead me to the following article going over an open issue with OpenSSL 3.x and it's deciphering issues:
https://stackoverflow.com/questions/70431528/mac-verification-failed-during-pkcs12-import-wrong-pass...
The solution for me was to append the -legacy flag to the command for creating the .p12 file in order to generate a certificate package that could be accepted on the endpoint. The modification looked like the below code:
openssl pkcs12 -export -legacy -out /path/to/generated/keystore.p12 -inkey /path/to/saved/privatekey.key -in /path/to/saved/certificate.crt
This newly generated Certificate payload was accepted both manually and through the configuration profile immediately.
Additional Context:
My testing utilized Jamf Connect 2.28.0 and MacOS 13.6.
Solved! Go to Solution.
Posted on 10-31-2023 08:45 AM
Thank you a lot, this was of invaluable help!
Posted on 10-31-2023 08:45 AM
Thank you a lot, this was of invaluable help!
Posted on 08-01-2024 01:38 PM
Yes! Saved my bacon! Had a ticket open with Jamf for the cert issues I was having so hopefully they update the docs with this info soon.
yesterday
hi
-legacy option is no longer available with openssl version on macOS it seems
/usr/bin/openssl version
LibreSSL 3.3.6
any idea to make this work now ?
yesterday
Might have to get brew and install openssl@3.0 (v3.0.15) or openssl@3 (v3.4.0)