Help

Adding certificates from Internal PKI

jsherwood
Contributor

Posted on ‎09-03-2018 06:50 AM

Hi Guys,

We've just had a new Internal PKI service set up by our Security team and we're now starting to see certificates being generated to secure a number of our internal services.

These new certs will soon start to roll out to our Mac fleet and we want to be ready and get the Root and Intermediate certs deployed so that we minimise any certificate trust issues - question is how do we best get the Root and Intermediate pushed out to the Macs and ensure they are installed in the right place (i.e. System keychain etc.).

Anyone got any advice or horror stories to share?

Thanks

John

1 REPLY 1

mschroder
Valued Contributor

Posted on ‎09-03-2018 09:13 AM

We have an extension attribute script that checks (via "security find-certificate") and reports whether the Root and Intermediate certs are installed.
A smart group of the clients that don't have the certs trusted, and a policy with that smart group as target scope for installing and trusting the certs (via a script that uses curl to fetch and "security add-trusted-cert" to trust the certs).

No horror stories so far, except for the usual cycles edit policy, switch to edit script switch to policy switch to smart group, switch to ... in the developmemt phase.

0 Kudos