Jamf Nation Community

Thanks, ill take a look at them.

Can either of you elaborate on "Install the issuing CA or other CA certificate on the client to ensure that it has a complete trust chain. This installation can also be done using a profile." from step 2 of the section 'Profile Manager payload deployment' in the Apple KB article @m.entholzner linked?

I'm not dealing with wi-fi auth, but instead trying to install and configure the Cisco jabber client for our new VOIP phone deployment. The OS is prompting users to trust the certificates for the jabber servers, which were issued by our internal Windows PKI. I was assuming I needed to install the root certificate as trusted on the clients (perhaps like this but the Apple article says the issuing CA cert will be ok. It also mentions that the issuing CA cert can be installed via profile, but doesn't provide any details.

Thanks!
Eric

Yes, if you only put in the CA's cert, that should work since it will be explicitly trusted. I put in the root as well, to make sure bases are covered for the future.

The OS will recognize the root cert is a root cert and treat it as such.

@alexjdale Thanks for chiming in. Just to verify, you mean only putting in the Issuing CA, right? What method did you use to install the cert? If you used the command line like the linked DerFlounder article, did you use the "trustAsRoot" flag then?

When I export the cert from my Issuing CA, do I need the private key? What format?

Thanks!
Eric

You can manually install certs with the security command, but nowadays we just put them into configuration profiles and they are handled appropriately. You do not need the private keys for CA or root certs, nor do I expect you will be able to get your hands on them.

The links in the post marked as an answer have the information, we more or less follow that same process. I keep my root and CA certs in a separate profile from my machine certs, though.

Since you just need the cert, just don't add a network payload. You will probably want to make sure that all apps can access the AD cert though, that is a checkbox in the profile.

@alexjdale This is working beautifully for me, thank you! For other's future reference, here's what I did:

1. Go to your PKI's certificate enrollment webpage (for us this was pki.domain.com/certenroll)
2. Download the .crt from your root server
3. Double-click this file. You will be prompted to add the certificates it contains to either the login or system keychains. I chose login
4. Open Keychain Access and find the imported cert. Right-click and choose export
5. Specify filename, location, and file type (.cer)
6. Create a new Configuration Profile in Casper.
7. Fill out General info (Install Automatically at Computer Level)
8. Add Certificate payload and upload the .cer
9. Scope appropriately

Thanks again!
Eric