Certificates installed and trusted via terminal 'security' not trusted by jamf binary

Contributor III

macos10.15, jamf 10.15.1.

Out JSS cert is not issued by the built in auth. It is generated elsewhere. I have added the cert programmatically to all systems via the script below, and the app Keychain Access shows it as trusted for all categories in the System keychain, however jamf.log shows "the jamf binary could not connect to the JSS because the web certificate is not trusted". If I use keychain access to change the trust for all categories to "System Default", apply the changes, then change it back to "Trusted", the jamf binary can then sync with the jamf server.

Anyone else run into this? This seems to be new behavior with 10.15 and 10.15.1, as I didn't have any problem with our 10.14.6 systems on JAMF Pro 10.12.

security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "/tmp/JSSCERT.cer"

Valued Contributor III

I have not seen that issue, also running 10.15.1 and macOS 10.15, and we install our corporate root CA certificate with the same command. Is your cert issued by an intermediate CA? We explicitly install and set trust on intermediates as well, since we've seen issues with the chain of trust in the past, just in general on Macs.

Contributor III
Is your cert issued by an intermediate CA?

Yes. I have three CAs above my cert in the chain. I have them all added to local systems via configuration profile, and they all show up as trusted and authoritative. Yet still, only on macos 10.15, the previously described behavior takes place. I wish I knew what the jamf binary is seeing(or not seeing), that isn't showing in the Keychain Access gui, that makes it think it isn't trusted. If I had any proof other than being able to re-produce the result on multiple systems over and over, I could submit a bug report to apple.

New Contributor II

MrP, you get to the bottom of this? I got the same issue. (10.15.3)

Contributor II

The only thing I know that is different with 10.15 is that certs can only be valid for 3 years or less. I have an issue right now with a 5 year cert

Contributor II

EDIT: I actually was about to give up and tried one last thing... issue is fixed now. I had to move all the certs to the DMZ server and re-create the keystore... now it's trusted.

We are having a similar issue - we have two servers, one internal and one in the DMZ. If a user is offsite and on 10.14 or 10.13, they are able to run policies and connect; if they are running 10.15 they receive the error that the web cert is not trusted. I just started in this position, so I figured maybe it was 10.15 not liking the current tomcat certificate. I replaced that tonight and I have the exact same issue - 10.14 works, 10.15 does not. This is a third-party cert for 1 year.

New Contributor III

I'm trying this on big sur 11.4 and it's not going great.
trustAsRoot seems to now be trustRoot
trustAsRoot was giving me SecTrustSettingsSetTrustSettings: One or mote parameters passed to a function were not valid.

Now, logged in as a standard user, the code seems to install the cert but does not modify its trust settings. Instead, it shows a blank admin authentication prompt:
"You are making changes to the System Certificate Trust Settings. Enter an administrator's name and password to allow this."
so now I'm trying to figure that out.
according to https://www.jamf.com/jamf-nation/discussions/36644/how-to-set-a-self-signed-certificate-to-always-trust
gonna have to do it with config profile for big sur