Help

Configuration Profiles and System level Certificates

jrserapio
Contributor

Posted on ‎03-18-2014 04:25 PM

Hi all. I am trying to import 11 Certs, 3 root and 8 intermediate certs. When I create a config profile for this, it installs the certs to the login keychain. I am creating the CP as a computer level configuration.

I have tried to script this but run into issues as well. If i run the script locally, it will install the certificates perfectly. I use this this command for each cert:
/usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "location"
The way I have been trying this via profile is:
a) package all the certs into /Library/Application Support/JAMF/Keychain and drop them to the location via DMG/Composer.
b) script runs after and installs the certificates.(This is where the problem lies, i get a "error reading file path/to/file" error message.The certs have permissions set to everyone = read.

Any thoughts or input?

Thanks.

0 Kudos
Reply
4 REPLIES 4

calum_rmit
New Contributor III

Posted on ‎03-18-2014 06:34 PM

is the script running as root?

0 Kudos
Reply

alexjdale
Valued Contributor III

Posted on ‎03-19-2014 08:00 AM

I use the script method you mentioned. I built a package that drops the individual cert files into a temp folder then installs each cert in that temp folder via a postflight script. It works like a charm.

I am curious, what is the reasoning behind step A where you pack the certs into a keychain rather than just installing the loose cert files?

0 Kudos
Reply

calum_rmit
New Contributor III

Posted on ‎03-19-2014 03:13 PM

i've done the same also, i usually just put them into /Users/Shared and then remove them at the end of the script.
You could also put them into /tmp

0 Kudos
Reply

jhbush
Valued Contributor II

Posted on ‎03-20-2014 08:49 AM

This is what I use as a post flight script. Works every time.

#!/bin/sh
## postflight
##
## Not supported for flat packages.

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3



security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certificates/rootca.cer"
security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certificates/CARoot.cer"
security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certificates/SubCA01.cer"
security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certificates/subca02.cer"
security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certificates/Web Gateway Root Certificate.cer"
security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certificates/wifi.cer"


rm -rf "/private/tmp/certificates"


exit 0      ## Success
exit 1      ## Failure
Reply