Skip to main content
Question

AD Certificates not trusted

  • August 4, 2017
  • 5 replies
  • 44 views
E
Forum|alt.badge.img+3

----- Warning for Beginner problems and possibly stupid questions -----

I'm getting a user certificate from our Microsoft Certificate Authority (CA), Everything is working great and the certificates are imported via a configurations profile.

The trouble I'm having is that the imported certificate ends up in the Login Keychain (which I assume is supposed to happen because it's a User-Level profile aswell as it's a personal Certificate for each user) and is NOT trusted... This Certificate needs to be trusted for usage to connect to our Wifi.

Does anyone know how I can force the certificate to be trusted when it's already located inside the Login Keychain, either with a script or PLIST or whatever?
Or, maybe someone knows how to get it trusted from the start, that would be even better.

My General settings (made it availible in self service during testing period):

and my AD Certificate Payload:

I have tried to set up a Network payload aswell, doesn't help because the certificate is still not trusted so it wont connect.
Inside the Network payload there is the Trust option, but there are no certificates under Trusted Certificates and also adding the name of the certificate inside Certificate Common Name doesn't help.

JSS/Casper Suite Version is 9.96

Any help would be greatly appreciated.

5 replies

flyboy
Forum|alt.badge.img+12
  • flyboy
  • Valued Contributor
  • August 4, 2017

@Emehlu , you need to add your internal Root CA as a trusted CA in the system keychain. You can do this via configuration profile. Once you specify your internal Root as trusted, its child certs will be trusted too. Depending on your environment, you may need to include the intermediate CAs too. In my experience, you need to include the Root CA in any configuration profile that requests an AD certificate, or uses certificate authentication, even if that CA is already in the system keychain on the target machine.

E
Forum|alt.badge.img+3
  • Emehlu
  • Author
  • New Contributor
  • August 5, 2017

@Berrier , thanks for your response!
There is already a root certificate in the sysem keychain, with "always trust" as its setting.
First thing on monday I will try the AD certificate again, with a root certificate included in the same configurations profile, and see if that helps!

E
Forum|alt.badge.img+3
  • Emehlu
  • Author
  • New Contributor
  • August 7, 2017

@Berrier I've now tested it and it doesn't help... I am not sure what the "Intermediate CA" is so I will ask our Certificate guy if he can help me out with that, as far as I can understand the Root CA validates the Intermediate than later validates the others?

This is my Settings at the moment:

And also the Network payload trust section:

Thanks!

PS. This does make the root certificate trusted, but not the AD Certificate.

flyboy
Forum|alt.badge.img+12
  • flyboy
  • Valued Contributor
  • August 7, 2017

@Emehlu, get the issuing CA in your profile and I expect things will start working. The Issuing CA is actually what issues the client certificate, not the root. If you look at the chain from the bottom up, the computer or user certificate is trusted because the Issuing CA is trusted, because the Root is trusted. If you just have the computer or user certificate and the Root, the computer/user cert is not trusted because it was issued and signed by an Issuing CA that the computer knows nothing about.

E
Forum|alt.badge.img+3
  • Emehlu
  • Author
  • New Contributor
  • August 11, 2017

@Berrier , I've done some investigations with our CA guy, and he says we don't use an intermediate CA or anything like that.
And he showed me that in our windows environment the "Corporate Root CA" that's also name "cert" is the actual Issuing CA cert.

If I open the AD certificate on the Mac computer it says "Issued by: cert" and the Coroprate Root CA that you see in my previous screenshots is the "cert" that it's talking about, which is located in both System.Keychain and Login.keychain and is trusted. It's very clear to see in our windows envoirment:

I've even tried to export all CA Certificates, Intermediate certificates, personal certificates and computer certificates (but ofc for the actual computer) from my windows computer and import into the system + login keychain... still doesn't automatically trust a new certificate issued by the same CA...

Is there any bash script I can perform to trust, or can I change default settings of newly added certificates and than change it back ?

PS. The new AD Certificates always get this "This certificate is valid", what does this mean?

Thanks again!

Terms & ConditionsCookie settingsAccessibility statement