Help

Configuration Profile Deployed Certificate Trust Levels?

Go to solution
bentoms
Release Candidate Programs Tester

Posted on ‎03-14-2012 03:43 PM

Hi All,

We're looking at deploying our root ca cert & various other certs signed by this cert via Configuration Profile to our lion clients.

Anyway to set the trust level.. or something like the below need post profile deployment? If so, how do you handle this?

/usr/bin/security add-trusted-cert -d -r trustRoot -k
0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
jhbush
Valued Contributor II

Posted on ‎03-14-2012 09:49 PM

I just build a configuration profile with iPCU add my trusted certificates exported from Local Administrator account and trusted under it. I then use /usr/bin/profiles -I -F /tmp/mycompany.mobileconfig as a post flight script to install the profile. When these are installed at imaging time they come into the System keychain fully trusted. Thanks for pointing out that other script totally forgot that one.

View solution in original post

0 Kudos
Reply
8 REPLIES 8

Go to solution
evarona
New Contributor II

Posted on ‎03-14-2012 03:53 PM

Ran into the same issue as a total Mac n00b. I struggled with scripting command to get them into System Root so I ended up manually putting the roots in the image and creating a separate "Corporate" keychain for the intermediate CAs and push that as a package.

Works well as long as I don't have to add a new root CA! ;-)

0 Kudos
Reply

Go to solution
bentoms
Release Candidate Programs Tester

Posted on ‎03-14-2012 03:59 PM

Emil, theres a script in the resource kit call importCert.sh that will help the import.

It's a shame that with configuration profiles we also need to do this.

0 Kudos
Reply

Go to solution
jhbush
Valued Contributor II

Posted on ‎03-14-2012 09:49 PM

I just build a configuration profile with iPCU add my trusted certificates exported from Local Administrator account and trusted under it. I then use /usr/bin/profiles -I -F /tmp/mycompany.mobileconfig as a post flight script to install the profile. When these are installed at imaging time they come into the System keychain fully trusted. Thanks for pointing out that other script totally forgot that one.

0 Kudos
Reply

Go to solution
bentoms
Release Candidate Programs Tester

Posted on ‎05-01-2012 01:51 AM

Anyway of replicating jason steps using the JSS config profiles?

0 Kudos
Reply

Go to solution
bentoms
Release Candidate Programs Tester

Posted on ‎05-01-2012 08:26 AM

Many thanks Jason, I didn't process what you posted.. but it worked perfectly ty!..

0 Kudos
Reply

Go to solution
nkalister
Valued Contributor

Posted on ‎05-01-2012 12:17 PM

I use a package that runs at imagetime- it puts the root and intermediate certs in a temp location, installs them using the security command and then deletes the temp location.
To get the intermediate cert to be trusted you need to switch the -r switch to trustAsRoot, so for that one the command would be:

/usr/bin/security add-trusted-cert -d -r trustAsRoot -k
0 Kudos
Reply

Go to solution
bentoms
Release Candidate Programs Tester

Posted on ‎05-01-2012 01:11 PM

Thanks nick.. tbh my idea is to move away from scripting where possible & instead manage my macs via MCX or Config Profiles.

0 Kudos
Reply

Go to solution
ksanborn
New Contributor III

Posted on ‎03-31-2016 08:36 AM

I'd like to deploy a cert and have it trusted. I am new to deploying certs to Macs and not sure how to accomplish what jhbush1973 has suggested. We basically have a cert that needs to be deployed to Macs and the cert needs to be trusted once it is deployed.

0 Kudos
Reply