ADCS security?

fabian_fasshube
New Contributor III

Hi everyone :)

I'm currently testing Jamf ADCS within my environment.
Our Mac's are NOT bound to AD and I would like to use ADCS for certbased Wifi connections.
Btw: I'm using a Microsoft PKI/CA environment which we used to have for a while now and which I also use for our Windows Clients.

So the ADCS is working as expected and I've created a "Certificate"-Payload profile.
SAN = UPN = "$USERNAME"
Wifi Authentication also works fine - Just awesome.

I've now created another local user on my machine and named it like the CEO of my company. My Mac did now receive a certificate in the name of my CEO. With this Certificate I'm not only able to login against Wifi (Which works) but also into a few other systems which allow cert authentication.

We do use NPS for Wifi authentication and there does not seem to be any way except using the Username/UPN within the SAN in order to authenticate against the NPS?!
(Since the Macs aren't bound to the AD of course).

From my current point of view, this is definitely not how it should work and I really do hope, that I'm missing something here on my side.

Another very critical thing for me: I'm able to export the certificates with the Private key and I also don't see any way to block this. Except of course if the Mac's are bound to AD.

Please help :D
Thanks in advance ;)

14 REPLIES 14

jameson
Contributor II

Actually we are running the exact same setup as you describe without AD etc

And those issues your write about has actually not yet come to my mind and don't think there is any official solution for this that can just fix this. So think there need to be added an additional software like Jamf connect, so users only can login with their credentials - and then block new users creation on the Mac

But maybe some other has some info on this

fabian_fasshube
New Contributor III

@jameson - Thanks very much for your feedback. Isn't this something critical to you? I mean Jamf should have something to prevent identity theft especially on certificate basis?!
I'll get in touch with the Jamf Team for these questions :)

jameson
Contributor II

The export of cert I was actually sure of was not possible - but I can see it is. I don´t know if there is a way to block this without need of implementing other solution
But overall of course it is security issue, that certificates can be created and exported that really can gives problems if some wants to abuse this, even we don´t have that much running on certs yet

jameson
Contributor II

Try and export the cert - does it actually work ?.
I can click export and enter a password, but it will not let me save it - so this part seems to be ok on my side

fabian_fasshube
New Contributor III

Yes indeed - I've just exported it ... :O (It is not even asking me to enter a password when exporting it)
I've NOT ticket "Allow all apps access" within the Certificate Payload. Your computer is also not bound to the AD right?
Are you using a computer or user profile for this purpose?

thanks :)

KRIECCO
Contributor

I am user user profile. And you can see both the cert name and privatekey underneath in keychain ?

Guess it could be something on your user template site then if you can just download

psliequ
Contributor III

The ADCS connector will happily hand off any certificates you configure a profile for and it’s typically used for machine certificates. It sounds like you should be requiring authentication in order to install a user certificate. NoMad or Enterprise Connect both have built in options to do that so I’d give one of those a try.

fabian_fasshube
New Contributor III

I'll definitely look into Jamf Connect but I've thought that this Product could work here as well.
It would be great if we could use machine certificates but I don't see any way to let them within our Wifi via NPS on a secure channel.
If there is anything in combination of NPS and Computer Based certificates, I'll take it ;)

DanielMa
New Contributor III
New Contributor III

Hi @fabian.fasshuber Something to clarify, the ADCS Connector payload when pushing out a certificate will prevent the export of the private key but not the certificate.

If you export the certificate that would be the equivalent of exporting a username but not the password, one way to confirm is if you export your certificate without the key so a .cer or .crt format instead of a .p12, remove the issued cert from the machine by unscoping the profile, and then try and use the exported certificate to connect to the wifi are you able to?

if you are using User based certificates and the devices are able to communicate to the CA then you can use something like NoMAD or Enterprise Connect, for multi user machines that you don't wish to bind then would recommend looking at Jamf Connect or NoMAD Login depending on your environment and lock down permission to create accounts.

For further assistance reach out to support or your TAM

fabian_fasshube
New Contributor III

You guys have been completely right. I'm not able to export the certificate including the private key.
What I still see as cirtical, is the following part:
1.) I could removed the .AppleSetupDone file, Reboot and create another (e.g. Donald.Trump) and receive his certificate
2.) Within the DEP enrollment I could simply choose another username (e.g. Donald Trumpse) and again I would receive his certificate

For now I've choosen to use Device Certifcates (I grep all DEP serial numbers, create Active Directory Computer Dummy accounts, allow NPS for them and publish the profile for the devices). Far t from perfect, but the usercertificates are a bit worse in my eyes.

I'll have a look into NoMad and Enterprise Connect in order to provide SSO with User Certificates in the future.
Thanks very much for all the help ;)

szultzie
Contributor II

Hi @fabian.fasshuber Did you ever get any further with the Jamf Connector?

We are trying to get a Device certificate for a non AD bond Mac, and came to the same conclusions you did with deleting the .AppleSetupDone file. Technically a hacker can rename computer remove the file and get a cert for any computer name they want potentially hijacking a server.

fabian_fasshube
New Contributor III

Hey @szultzie :)

I also had a ticket with Jamf and yes - It is like it is :D

At the end, I've decided to use a different approach:
I've created Active Directory computer objects based on the Serial number of all my MacBooks (I create them automatically if we receive new devices thanks to DEP and the Jamf API - There is no connection those are just dummy accounts)
Now I'm creating a computer certificate with the Serial number as Subject/SAN and authenticate through that against NPS -> And it works since the Serial number computer object dummy exists :) No one will be able to use the certificate for anything bad -> The export of the private key anyway would not work.
(Theoretically, I would know a way to still export it - but you'll need to put a lot of effort into it)

Let me know if you need more details

szultzie
Contributor II

@fabian.fasshuber Are you somehow automating the certificate creation?
And are you still using the Jamf Connector?
Thanks

fabian_fasshube
New Contributor III

@szultzie Yes it happens fully automated with the Jamf ADCS and a configuration Profile. (The ADCS Server works actually without a single outage for about one year)

I deploy the configuration profile to all my devices:

Certificate: Subject: CN=$SERIALNUMBER Subject alternative name: $SERIALNUMBER

The configuration profile also includes the Wifi-payload: Username: $SERIALNUMBER$ Identity certificate: The certificate from above