Posted on 03-06-2017 02:35 PM
I am running into a brick wall getting a cert installed as trusted. I have looked all over the forum and have tried just about every script I could find but get the same result. Below is the Log output after I run the install and script.
Sending Wake On LAN command...
Opening SSH Connection to 10.119.xxx.xx...
Authenticating...
Successfully authenticated.
Verifying Computer's Identity...
The MAC Address has been verified.
Checking Operating System Version...
Running Mac OS X 10.12.1 (16B2657)
Verifying /usr/local/jamf/bin/jamf...
/usr/local/bin/jamf is (9.97.1488392992) not the current version (9.97.1482356336).
Verifying /usr/sbin/jamf...
/usr/sbin/jamf does not exist.
Downloading /usr/local/jamf/bin/jamf from JSS...
Moving jamf binary to /usr/local/jamf/bin/jamf...
Created the jamf binary directory /usr/local/jamf/bin.
Moving jamf binary to /usr/local/jamf/bin/jamf...
Moved the JAMF CLI Binary to /usr/local/jamf/bin/jamf.
Creating symlink /usr/local/bin/jamf...
Enabling /usr/local/jamf/bin/jamf...
Enabled the JAMF CLI Binary.
Verifying /Library/Preferences/com.jamfsoftware.jamf.plist...
Preparing Policy...
The management framework will be enforced as soon as all policies are done executing.
Executing Policy 2017-03-06 at 10:17 PM | dpalmer | 1 Computer
Mounting Casper Share
Verifying package integrity...
Copying ForcepointCloudCA.cer.pkg...
Installing ForcepointCloudCA.cer.pkg...
Successfully installed ForcepointCloudCA.cer.pkg.
Running script ForcepointCloudCA...
Script exit code: 0
Script result: Usage: add-trusted-cert [] [certFile]
-d Add to admin cert store; default is user
-r resultType resultType = trustRoot|trustAsRoot|deny|unspecified;
default is trustRoot
-p policy Specify policy constraint (ssl, smime, codeSign, IPSec, iChat,
basic, swUpdate, pkgSign, pkinitClient, pkinitServer, eap)
-a appPath Specify application constraint
-s policyString Specify policy-specific string
-e allowedError Specify allowed error (certExpired, hostnameMismatch) or integer
-u keyUsage Specify key usage, an integer
-k keychain Specify keychain to which cert is added
-i settingsFileIn Input trust settings file; default is user domain
-o settingsFileOut Output trust settings file; default is user domain
-D Add default setting instead of per-cert setting
certFile Certificate(s)
Add trusted certificate(s).
Submitting log to https://xxx12345.jamfcloud.com/
Finished.
This is the script I am using:
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /private/tmp/certs/ForcepointCloudCA.cer srm /private/tmp/certs/ForcepointCloudCA.cer
rm -rf "/private/tmp/certs"
exit 0 ## Success
exit 1 ## Failure
Any assistance is very much appreciated, I am on day 4 and just keep hitting the same wall continuously, I get the cert installed to the temp location but it will not go into the keychain as trusted.
Thanks in Advance.
Posted on 03-06-2017 02:40 PM
Is it an actual root cert? If not, use trustAsRoot instead.
Also, what's the part after you identify the cert file? The "srm /private/tmp/certs/ForcepointCloudCA.cer" part?
Posted on 03-06-2017 03:25 PM
That part was to remove the Cert from the temp location. No it is actually a cert for our new firewall.
Posted on 03-06-2017 08:14 PM
@dpalmer_autoever As @alexjdale mentioned, you need to use trustAsRoot
for non-root certs.
Here's what we're using:
function trustRootCert(){
certName="$1"
if [ -f /var/tmp/"${certName}" ]; then
/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /var/tmp/"${certName}"
echo "* Installed ${certName}"
else
echo "* Error: ${certName} not found in: /var/tmp/"
fi
/bin/sleep 1
}
function trustCertAsRoot(){
certName="$1"
if [ -f /var/tmp/"${certName}" ]; then
/usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /var/tmp/"${certName}"
echo "* Installed ${certName}"
else
echo "* Error: ${certName} not found in: /var/tmp/"
fi
/bin/sleep 1
}
trustRootCert "rootCert1.cer"
trustCertAsRoot "nonRootCert1.cer"
Posted on 03-07-2017 08:35 AM
Thanks, I will try your script and cross my fingers it works. I appreciate the input.
Posted on 03-07-2017 10:56 AM
@dan.snelson I tried running the script you use but still coming up with the same result. The certificate isn't going into the keychain until I search for it via Spotlight, I click on the cert and that is when it goes into the keychain as untrusted. I really would hate to have to touch 300+ systems to install this cert. Any other ideas I could try?
Here is the log I get now:
IWA0063256 (682)
Sending Wake On LAN command...
Opening SSH Connection to xx.xxx.xx.xx...
Authenticating...
Successfully authenticated.
Verifying Computer's Identity...
The MAC Address has been verified.
Checking Operating System Version...
Running Mac OS X 10.12.3 (16D32)
Verifying /usr/local/jamf/bin/jamf...
/usr/local/bin/jamf is (9.97.1488392992) not the current version (9.97.1482356336).
Verifying /usr/sbin/jamf...
/usr/sbin/jamf does not exist.
Downloading /usr/local/jamf/bin/jamf from JSS...
Moving jamf binary to /usr/local/jamf/bin/jamf...
Created the jamf binary directory /usr/local/jamf/bin.
Moving jamf binary to /usr/local/jamf/bin/jamf...
Moved the JAMF CLI Binary to /usr/local/jamf/bin/jamf.
Creating symlink /usr/local/bin/jamf...
Enabling /usr/local/jamf/bin/jamf...
Enabled the JAMF CLI Binary.
Verifying /Library/Preferences/com.jamfsoftware.jamf.plist...
Preparing Policy...
Not upgrading jamf binary. do_not_upgrade_jamf is set to true in /Library/Preferences/com.jamfsoftware.jamf.plist
Executing Policy 2017-03-07 at 6:35 PM | dpalmer | 2 Computers
Mounting Casper Share
Verifying package integrity...
Copying CertName.cer.pkg...
Installing CertName.cer.pkg...
Successfully installed CertName.cer.pkg.
Running script Trusted Cert-...
Script exit code: 0
Script result: Error: CertName.cer not found in: /private/tmp/
Error: CertName.cer not found in: /private/tmp/
Unmounting file server...
Submitting log to https://xxx12345.jamfcloud.com/
Finished.
Posted on 03-07-2017 11:16 AM
@dpalmer_autoever Where are the certificates being installed by CertName.cer.pkg?
Installing CertName.cer.pkg... Successfully installed CertName.cer.pkg. Running script Trusted Cert-... Script exit code: 0 Script result: Error: CertName.cer not found in: /private/tmp/ Error: CertName.cer not found in: /private/tmp/
Posted on 03-07-2017 12:55 PM
The cert is installed in /private/tmp and the script is to delete it after installing.
Posted on 03-07-2017 12:57 PM
@dan.snelson here is your script modified for my cert:
function trustRootCert(){ certName="$ ForcepointCloudCA.cer" if [ -f /private/tmp/"$ ForcepointCloudCA.cer" ]; then /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /private/tmp/"$ ForcepointCloudCA.cer " echo " Installed $ ForcepointCloudCA.cer " else echo " Error: $ ForcepointCloudCA.cer not found in: /private/tmp/" fi
/bin/sleep 1
}
function trustCertAsRoot(){
certName="$ ForcepointCloudCA.cer"
if [ -f /private/tmp/"$ ForcepointCloudCA.cer" ]; then
/usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /private/tmp/"$ ForcepointCloudCA.cer"
echo " Installed $ ForcepointCloudCA.cer"
else
echo " Error: $ ForcepointCloudCA.cer not found in: /private/tmp/"
fi
/bin/sleep 1
}
trustRootCert " ForcepointCloudCA.cer"
trustCertAsRoot " ForcepointCloudCA.cer"
Posted on 03-07-2017 01:00 PM
@dan.snelson Here is my original script - They both will install the cert but just will not make it Trusted or put it in the keychain. I have to search for it click on it then it will show up in the Keychain.
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/ForcepointCloudCA.cer" srm "/private/tmp/ForcepointCloudCA.cer"
rm -rf "/private/tmp/"
exit 0 ## Success
exit 1 ## Failure
Posted on 03-07-2017 01:21 PM
@dpalmer_autoever After installing CertName.cer.pkg on a test machine, what result do you get if you execute the following command in Terminal?
/usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /private/tmp/ForcepointCloudCA.cer
Posted on 03-07-2017 02:00 PM
I get the following error:
/usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /private/tmp/ForcepointCloudCA.cer
*Error reading file /private/tmp/ForcepointCloudCA.cer
Error reading file /private/tmp/ForcepointCloudCA.cer
As I see it is not finding the file where it should be.
Posted on 03-07-2017 02:02 PM
Thanks for taking the time to assist, it is appreciated!