Skip to main content
Question

Deploying certificates

  • September 17, 2014
  • 31 replies
  • 163 views

Forum|alt.badge.img+5

We're new to casper and have a handful of macs in our primarily windows environment. they use other policies/applications to push stuff to end users.

However security issued certificates for network access/provisioning and we are running into a standstill trying to deploy them to Mac end users.

is there a no-touch way to deploy them wether in a package or ARD?
i can dump a new keychain into a users folder but it won't deploy into Keychain.app

our techs are only using Composer and ARD as of now.

Any ideas on massively deploying this?

thanks!

31 replies

Forum|alt.badge.img+7
  • Contributor
  • September 17, 2014

You do not mention where you want the certificate to end up, but you should look at the following commands:

security add-trusted-cert
security add-certificates

The process would be two steps. One would be to copy the certificate to the machine using ARD. I would copy it somewhere like /tmp/certs/ (not sure if ARD will make the directory if it does not exist already). You could also do that via Composer and a package.

The second would be to send a Unix command from ARD to load that certificate into the correct keychain. You could also add that as a script into the policy that pushes down the certificate, and have the script run 'after'.

If you are using Configuration Profiles at all you can also add certificates that way. Configuration Profiles would be a lot easier.


Forum|alt.badge.img+5
  • Author
  • Contributor
  • September 17, 2014

Ideally, in the System Keychain or something that would be system wide. with the trust settings to Always trust, which didn't seem to get passed down when doing a test deploy.

Also, the certificates are .pem (we have 4 different ones).

Right now the tools we have until our set-up is; Composer, ARD, and OS X Server.
So I'm unfortunately limited, but you've been helpful in explaining this. so i appreciate that very much.


Forum|alt.badge.img+18
  • Valued Contributor
  • September 17, 2014

you could try something like this in the command part of ARD, of course fix the cert name and the path to it.

security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "/.installfiles/Cert/mycert.pem"


Forum|alt.badge.img+5
  • Author
  • Contributor
  • September 17, 2014

thanks Nessts, the only error I come across is this: SecCertificateAddToKeychain: write permissions error

ran as Root in ARD


Forum|alt.badge.img+18
  • Valued Contributor
  • September 17, 2014

yes, i am sorry i assumed too much, if you are sending the command from ARD you need to do it as root. if you are running locally in a terminal you should preface the command with sudo, sorry about that.


Forum|alt.badge.img+5
  • Author
  • Contributor
  • September 17, 2014

excellent, thanks for that. solved that issue. and its throwing the keychain in there, with the exception of maybe this is a manual process...to switch the Trust carrot to Always Trust instead of Use System Defaults in Keychain.

*thanks again for your help, our casper deployment can't come soon enough, a config profile would have been way cleaner and easier*


Forum|alt.badge.img+10
  • New Contributor
  • September 17, 2014

Looks like you already have it sorted but in future perhaps you could build a config profile with IPCU or similar, load the certs you need in there and then use tim suttons awesome profile to package tool and deploy the package

https://github.com/timsutton/make-profile-pkg


Forum|alt.badge.img+5
  • Author
  • Contributor
  • September 18, 2014

so far it isn't completely sorted, still not sure on the always trust configuration, its just using System defaults. which I'm not sure if that will enable the cert or not fully.

but thanks for the link and info


bentoms
Forum|alt.badge.img+35
  • Hall of Fame
  • September 18, 2014

Easiest way is to deploy Certs via a config profile, that was they are trusted.

If you're using profiles, all you need to do is create one with the security payload.. Upload the cert & deploy.


ImAMacGuy
Forum|alt.badge.img+23
  • Esteemed Contributor
  • October 1, 2014

is there an easy way to 'always trust' and existing certificate?


Forum|alt.badge.img+6
  • Contributor
  • October 2, 2014

Can someone help me in a step by step process to get the certificate installed please.

I presume i'd need to get the certificate onto all the clients first then runs a script to install?


Forum|alt.badge.img+18
  • Valued Contributor
  • November 5, 2014

@jwojda:

There is not really an "easy way" to always trust an existing cert, but it is possible. You can set the certificate(s) to "always trust" and then use the security command to export the trust settings to a plist:

bash-3.2# security trust-settings-export -d /Users/Shared/trust_settings.plist

Be aware that this will include ALL trust settings for items in your System keychain, so you may want to do this on a machine that has only the certs that you want to edit. Once you have the plist, you can copy it to your client systems and import the trust settings like so:

bash-3.2# security trust-settings-import -d /Users/Shared/trust_settings.plist

So yeah, kind of a pain in the a$$, but doable.

--Andy


bentoms
Forum|alt.badge.img+35
  • Hall of Fame
  • November 5, 2014

Or just redeploy the cert via config profile.


Forum|alt.badge.img+18
  • Valued Contributor
  • November 5, 2014

@bentoms

That seems to work for root certs but not for others. I deployed a non-root cert via a profile this morning and it didn't have have any trust settings specified.


Forum|alt.badge.img+18
  • Valued Contributor
  • November 5, 2014

@g1za][/url

Yes, that is correct. The process that we have used is to lay down the cert in a temp location via a package, use a postinstall script to install the cert, and then clean up afterwards. Something like this:

#!/bin/bash

CERT_PATH="/private/var/tmp"
SYSTEM_KEYCHAIN="/Library/Keychains/System.keychain"

/usr/bin/security add-trusted-cert -d -r trustAsRoot -k ${SYSTEM_KEYCHAIN} ${CERT_PATH}/radius01.pretendco.com.cer
/usr/bin/security add-certificates -k ${SYSTEM_KEYCHAIN} ${CERT_PATH}/DigiCert SHA2 Secure Server CA.cer
rm -f ${CERT_PATH}/radius01.pretendco.com.cer
rm -f ${CERT_PATH}/DigiCert SHA2 Secure Server CA.cer

exit 0

Or you could just deploy them via a profile as @bentoms][/url suggests :)

--Andy


Forum|alt.badge.img+6
  • Contributor
  • January 27, 2015

What am i doing wrong?

I've put the certificate in the / path and via ARD am trying to install with:

security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "/DC1.cer"


RobertHammen
Forum|alt.badge.img+29
  • Esteemed Contributor
  • January 27, 2015

quote marks missing?

security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certificate.cer"
srm "/private/tmp/certs/certificate.cer"


bentoms
Forum|alt.badge.img+35
  • Hall of Fame
  • January 31, 2015

@g1za, honestly. Try via a profile.


acodega
Forum|alt.badge.img+15
  • Valued Contributor
  • January 31, 2015

A configuration profile will install this certificate for you. If there's something not working, let's talk about that.

Let the big expensive box do the work for you. :-)


Forum|alt.badge.img+3
  • New Contributor
  • April 8, 2015

I'm trying to deploy a new internal root CA & intermediate cert, and they are not coming down (via Config Profile) as trusted.

I added new certificates to our existing Cert deployment profile, but these new certs install and show up in keychain with the error "This certificate could not be verified" - Ok I just looked at it again and my root is showing up as an intermediate cert, not a root.

What am I doing wrong?


Forum|alt.badge.img+1
  • New Contributor
  • July 22, 2015

If a configuration profile isn't signed, it will install the certs using "system default" trust settings. If you want the certs to install using "always trust" trust settings, you need to sign the configuration profile. A self-signed cert will suffice, such as the one created when you set up profile manager on OS X Server.


bentoms
Forum|alt.badge.img+35
  • Hall of Fame
  • August 8, 2015

@JDHatman good to know. Thanks!


easyedc
Forum|alt.badge.img+16
  • Esteemed Contributor
  • December 22, 2015

When using the configuration profile method (ones built by OS X Server profile manager) is the default that the setting is applied to the User and you can't configure to apply to the Computer? I'm testing out @JDHatman's method and not seeing that as an option.


easyedc
Forum|alt.badge.img+16
  • Esteemed Contributor
  • December 22, 2015

...and I may have found my own answer....


Forum|alt.badge.img+18
  • Valued Contributor
  • December 22, 2015

@JDHatman I am confused by your post regarding signed profiles. Doesn't the JSS sign all profiles by default? If so, shouldn't all certs that are delivered as a part of config profiles from the JSS be set to "Always Trust" (they are not)? Or is this only the case for profile manager?