Skip to main content
Question

Deploying Trusted Certificates OSX Sierra

  • March 6, 2017
  • 12 replies
  • 37 views
D
Forum|alt.badge.img+6

I am running into a brick wall getting a cert installed as trusted. I have looked all over the forum and have tried just about every script I could find but get the same result. Below is the Log output after I run the install and script.

Sending Wake On LAN command...
Opening SSH Connection to 10.119.xxx.xx...
Authenticating...
Successfully authenticated.
Verifying Computer's Identity...
The MAC Address has been verified.
Checking Operating System Version...
Running Mac OS X 10.12.1 (16B2657)
Verifying /usr/local/jamf/bin/jamf...
/usr/local/bin/jamf is (9.97.1488392992) not the current version (9.97.1482356336).
Verifying /usr/sbin/jamf...
/usr/sbin/jamf does not exist.
Downloading /usr/local/jamf/bin/jamf from JSS...
Moving jamf binary to /usr/local/jamf/bin/jamf...
Created the jamf binary directory /usr/local/jamf/bin.
Moving jamf binary to /usr/local/jamf/bin/jamf...
Moved the JAMF CLI Binary to /usr/local/jamf/bin/jamf.
Creating symlink /usr/local/bin/jamf...
Enabling /usr/local/jamf/bin/jamf...
Enabled the JAMF CLI Binary.
Verifying /Library/Preferences/com.jamfsoftware.jamf.plist...
Preparing Policy...
The management framework will be enforced as soon as all policies are done executing.
Executing Policy 2017-03-06 at 10:17 PM | dpalmer | 1 Computer
Mounting Casper Share
Verifying package integrity...
Copying ForcepointCloudCA.cer.pkg...
Installing ForcepointCloudCA.cer.pkg...
Successfully installed ForcepointCloudCA.cer.pkg.
Running script ForcepointCloudCA...
Script exit code: 0
Script result: Usage: add-trusted-cert [] [certFile]
-d Add to admin cert store; default is user
-r resultType resultType = trustRoot|trustAsRoot|deny|unspecified;
default is trustRoot
-p policy Specify policy constraint (ssl, smime, codeSign, IPSec, iChat,
basic, swUpdate, pkgSign, pkinitClient, pkinitServer, eap)
-a appPath Specify application constraint
-s policyString Specify policy-specific string
-e allowedError Specify allowed error (certExpired, hostnameMismatch) or integer
-u keyUsage Specify key usage, an integer
-k keychain Specify keychain to which cert is added
-i settingsFileIn Input trust settings file; default is user domain
-o settingsFileOut Output trust settings file; default is user domain
-D Add default setting instead of per-cert setting
certFile Certificate(s)
Add trusted certificate(s).
Submitting log to https://xxx12345.jamfcloud.com/
Finished.

This is the script I am using:

!/bin/sh

postflight

Not supported for flat packages.

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /private/tmp/certs/ForcepointCloudCA.cer srm /private/tmp/certs/ForcepointCloudCA.cer

rm -rf "/private/tmp/certs"

exit 0 ## Success
exit 1 ## Failure

Any assistance is very much appreciated, I am on day 4 and just keep hitting the same wall continuously, I get the cert installed to the temp location but it will not go into the keychain as trusted.

Thanks in Advance.

    12 replies

    A
    Forum|alt.badge.img+18
    • alexjdale
    • Contributor
    • March 6, 2017

    Is it an actual root cert? If not, use trustAsRoot instead.

    Also, what's the part after you identify the cert file? The "srm /private/tmp/certs/ForcepointCloudCA.cer" part?

    D
    Forum|alt.badge.img+6

    That part was to remove the Cert from the temp location. No it is actually a cert for our new firewall.

    dan-snelson
    Forum|alt.badge.img+30
    • dan-snelson
    • Honored Contributor
    • March 7, 2017

    @dpalmer_autoever As @alexjdale mentioned, you need to use trustAsRoot for non-root certs.

    Here's what we're using:

    function trustRootCert(){
    certName="$1"
    if [ -f /var/tmp/"${certName}" ]; then
        /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /var/tmp/"${certName}"
        echo "* Installed ${certName}"
    else
        echo "* Error: ${certName} not found in: /var/tmp/"
    fi

    /bin/sleep 1

}


function trustCertAsRoot(){
    certName="$1"
    if [ -f /var/tmp/"${certName}" ]; then
        /usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /var/tmp/"${certName}"
        echo "* Installed ${certName}"
    else
        echo "* Error: ${certName} not found in: /var/tmp/"
    fi

    /bin/sleep 1

}


trustRootCert "rootCert1.cer"

trustCertAsRoot "nonRootCert1.cer"
    D
    Forum|alt.badge.img+6

    Thanks, I will try your script and cross my fingers it works. I appreciate the input.

    D
    Forum|alt.badge.img+6

    @dan.snelson I tried running the script you use but still coming up with the same result. The certificate isn't going into the keychain until I search for it via Spotlight, I click on the cert and that is when it goes into the keychain as untrusted. I really would hate to have to touch 300+ systems to install this cert. Any other ideas I could try?

    Here is the log I get now:

    IWA0063256 (682)

    Sending Wake On LAN command...
    Opening SSH Connection to xx.xxx.xx.xx...
    Authenticating...
    Successfully authenticated.
    Verifying Computer's Identity...
    The MAC Address has been verified.
    Checking Operating System Version...
    Running Mac OS X 10.12.3 (16D32)
    Verifying /usr/local/jamf/bin/jamf...
    /usr/local/bin/jamf is (9.97.1488392992) not the current version (9.97.1482356336).
    Verifying /usr/sbin/jamf...
    /usr/sbin/jamf does not exist.
    Downloading /usr/local/jamf/bin/jamf from JSS...
    Moving jamf binary to /usr/local/jamf/bin/jamf...
    Created the jamf binary directory /usr/local/jamf/bin.
    Moving jamf binary to /usr/local/jamf/bin/jamf...
    Moved the JAMF CLI Binary to /usr/local/jamf/bin/jamf.
    Creating symlink /usr/local/bin/jamf...
    Enabling /usr/local/jamf/bin/jamf...
    Enabled the JAMF CLI Binary.
    Verifying /Library/Preferences/com.jamfsoftware.jamf.plist...
    Preparing Policy...
    Not upgrading jamf binary. do_not_upgrade_jamf is set to true in /Library/Preferences/com.jamfsoftware.jamf.plist
    Executing Policy 2017-03-07 at 6:35 PM | dpalmer | 2 Computers
    Mounting Casper Share
    Verifying package integrity...
    Copying CertName.cer.pkg...
    Installing CertName.cer.pkg...
    Successfully installed CertName.cer.pkg.
    Running script Trusted Cert-...
    Script exit code: 0
    Script result: Error: CertName.cer not found in: /private/tmp/
     Error: CertName.cer not found in: /private/tmp/
    Unmounting file server...
    Submitting log to https://xxx12345.jamfcloud.com/
    Finished.

    dan-snelson
    Forum|alt.badge.img+30
    • dan-snelson
    • Honored Contributor
    • March 7, 2017

    @dpalmer_autoever Where are the certificates being installed by CertName.cer.pkg?

    Installing CertName.cer.pkg... Successfully installed CertName.cer.pkg. Running script Trusted Cert-... Script exit code: 0 Script result: Error: CertName.cer not found in: /private/tmp/ Error: CertName.cer not found in: /private/tmp/
    D
    Forum|alt.badge.img+6

    The cert is installed in /private/tmp and the script is to delete it after installing.

    D
    Forum|alt.badge.img+6

    @dan.snelson here is your script modified for my cert:

    function trustRootCert(){ certName="$ ForcepointCloudCA.cer" if [ -f /private/tmp/"$ ForcepointCloudCA.cer" ]; then /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /private/tmp/"$ ForcepointCloudCA.cer " echo " Installed $ ForcepointCloudCA.cer " else echo " Error: $ ForcepointCloudCA.cer not found in: /private/tmp/" fi

    /bin/sleep 1

    }
    function trustCertAsRoot(){ certName="$ ForcepointCloudCA.cer" if [ -f /private/tmp/"$ ForcepointCloudCA.cer" ]; then /usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /private/tmp/"$ ForcepointCloudCA.cer" echo " Installed $ ForcepointCloudCA.cer" else echo " Error: $ ForcepointCloudCA.cer not found in: /private/tmp/" fi

    /bin/sleep 1

    }
    trustRootCert " ForcepointCloudCA.cer"
    trustCertAsRoot " ForcepointCloudCA.cer"

    D
    Forum|alt.badge.img+6

    @dan.snelson Here is my original script - They both will install the cert but just will not make it Trusted or put it in the keychain. I have to search for it click on it then it will show up in the Keychain.

    !/bin/sh

    postflight

    Not supported for flat packages.

    pathToScript=$0
    pathToPackage=$1
    targetLocation=$2
    targetVolume=$3

    security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/ForcepointCloudCA.cer" srm "/private/tmp/ForcepointCloudCA.cer"

    rm -rf "/private/tmp/"

    exit 0 ## Success
    exit 1 ## Failure

    dan-snelson
    Forum|alt.badge.img+30
    • dan-snelson
    • Honored Contributor
    • March 7, 2017

    @dpalmer_autoever After installing CertName.cer.pkg on a test machine, what result do you get if you execute the following command in Terminal?

    /usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /private/tmp/ForcepointCloudCA.cer
    D
    Forum|alt.badge.img+6

    I get the following error:
    /usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /private/tmp/ForcepointCloudCA.cer
    *Error reading file /private/tmp/ForcepointCloudCA.cer
    Error reading file /private/tmp/ForcepointCloudCA.cer

    As I see it is not finding the file where it should be.

    D
    Forum|alt.badge.img+6

    Thanks for taking the time to assist, it is appreciated!

    Terms & ConditionsCookie settingsAccessibility statement