Configuration Profile Deployed Certificate Trust Levels?

bentoms
Release Candidate Programs Tester

Hi All,

We're looking at deploying our root ca cert & various other certs signed by this cert via Configuration Profile to our lion clients.

Anyway to set the trust level.. or something like the below need post profile deployment? If so, how do you handle this?

/usr/bin/security add-trusted-cert -d -r trustRoot -k
1 ACCEPTED SOLUTION

jhbush
Valued Contributor II

I just build a configuration profile with iPCU add my trusted certificates exported from Local Administrator account and trusted under it. I then use /usr/bin/profiles -I -F /tmp/mycompany.mobileconfig as a post flight script to install the profile. When these are installed at imaging time they come into the System keychain fully trusted. Thanks for pointing out that other script totally forgot that one.

View solution in original post

8 REPLIES 8

evarona
New Contributor II

Ran into the same issue as a total Mac n00b. I struggled with scripting command to get them into System Root so I ended up manually putting the roots in the image and creating a separate "Corporate" keychain for the intermediate CAs and push that as a package.

Works well as long as I don't have to add a new root CA! ;-)

bentoms
Release Candidate Programs Tester

Emil, theres a script in the resource kit call importCert.sh that will help the import.

It's a shame that with configuration profiles we also need to do this.

jhbush
Valued Contributor II

I just build a configuration profile with iPCU add my trusted certificates exported from Local Administrator account and trusted under it. I then use /usr/bin/profiles -I -F /tmp/mycompany.mobileconfig as a post flight script to install the profile. When these are installed at imaging time they come into the System keychain fully trusted. Thanks for pointing out that other script totally forgot that one.

bentoms
Release Candidate Programs Tester

Anyway of replicating jason steps using the JSS config profiles?

bentoms
Release Candidate Programs Tester

Many thanks Jason, I didn't process what you posted.. but it worked perfectly ty!..

nkalister
Valued Contributor

I use a package that runs at imagetime- it puts the root and intermediate certs in a temp location, installs them using the security command and then deletes the temp location.
To get the intermediate cert to be trusted you need to switch the -r switch to trustAsRoot, so for that one the command would be:

/usr/bin/security add-trusted-cert -d -r trustAsRoot -k

bentoms
Release Candidate Programs Tester

Thanks nick.. tbh my idea is to move away from scripting where possible & instead manage my macs via MCX or Config Profiles.

ksanborn
New Contributor III

I'd like to deploy a cert and have it trusted. I am new to deploying certs to Macs and not sure how to accomplish what jhbush1973 has suggested. We basically have a cert that needs to be deployed to Macs and the cert needs to be trusted once it is deployed.