Distributing individual certificates

charliwest
Contributor II

Hello all,

I am trying to automate our VPN deployment, and so far I have got the software installing ok, adding the certificates correctly is a work in progress, although I can do it all via the command line with the user adding their password to allow access to their keychain.

Next thing I need to try and work out is getting individual certificates onto each users machine, one way is individual pkg for each user, but this is a bit messy. While writing I have thought I could maybe script mounting a share and copying a file with $USERNAME maybe? Importing it then deleting it.

Any ideas on how I could achieve this? We are using F5 ssl certificate authentication.

Thanks

Dave

2 ACCEPTED SOLUTIONS

bentoms
Release Candidate Programs Tester

@dwest, this can all be done with 2 config profiles:

  1. One profile with a Certificate payload deploying the CA's certificate
  2. Second profile with a AD Certificate payload for the AD certificate request

We've done that for a few years, works well.

View solution in original post

charliwest
Contributor II

@bentoms got it sorted, incase this may help any others

# Get the current logged in user
consoleuser=`ls -l /dev/console | /usr/bin/cut -d " " -f 4`
# Get the current logged in full name, in this case that is the common name of our VPN certs
commonname=$(dscl . read /Users/$(ls -la /dev/console | cut -d " " -f 4) RealName |grep -v RealName |cut -c 2-)
#Add the Identity Preferance to the client certificate
/usr/bin/sudo -u $consoleuser security set-identity-preference -s "https://your.domain.name/" -c "$commonname"

View solution in original post

14 REPLIES 14

JPDyson
Valued Contributor

What's making the certs? Can it do SCEP?

charliwest
Contributor II

Microsoft Active Directory Certificate Services Certificate Authority, just saw an article about using Configuration Profiles to push them out, so this might be the way to go I think, but a little unsure, using that will import the cert into the keychain? I would then need to set the identity preference and it also needs a trusted cert for the issuing server.

rderewianko
Valued Contributor II

We have self signed certs for our phone system, and use this to import it.. It's it a bit messy, but we don't have to change these certs very often.. I modified a loop someone wrote for cleaning the dock. To play with certs instead.

#!/bin/sh
CERTLIST=(“cert1.cer”,
“cert2.cer”,
“cert3.cer”,
)

for i in $certlist
do
CertName=`/bin/echo "$i" | /usr/bin/awk -F/ '{print $NF}' | /usr/bin/awk -F. '{print $1}'`

/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Library/Application Support/JAMF/certs "$i"
done

# Remove the certs from certs directory used in the import
rm -rf /Library/Application Support/JAMF/certs

exit 0

bentoms
Release Candidate Programs Tester

@dwest, this can all be done with 2 config profiles:

  1. One profile with a Certificate payload deploying the CA's certificate
  2. Second profile with a AD Certificate payload for the AD certificate request

We've done that for a few years, works well.

charliwest
Contributor II

Cheers @bentoms getting there, the CA is there, but the AD cert is failing with "Unable to decrypt encrypted profile." looking into that now :)

charliwest
Contributor II

@bentoms you ever had to assign an identity preference to the certificates? Have tried with a script, but as its run as root getting the common name is proving a real pain, tried $FULLNAME (as the common name is also the same as the users full name) but this fails with various errors Script result: security: No matching identity found for "" When I put the $FULLNAME in ""
Script result: security: No matching identity found for "$FULLNAME" When I put the $FULLNAME ''
Script result: security: No matching identity found for "/Users/myusername/Library/Keychains/login.keychain" When I put the $FULLNAME as it is

Any ideas?

bentoms
Release Candidate Programs Tester

@dwest, we only user computer level.

But try a user level profile & the variable $USERNAME.

Page 258 of the admin guide for 9.2 has a list of the variables you can use in config profiles.

http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.2-Administrators-G...

charliwest
Contributor II

Thanks @bentoms but its the common name of the script variable we need, which is the same as the FULLNAME, I will have to see if I can change this common name to something else. Thanks for looking :)

bentoms
Release Candidate Programs Tester

@dwest, sorry missed the bit where your using a script.

Did profiles not work?

I guess you need to the username of the logged in user then.

Something like the below could be adapted;

# Get the username of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

charliwest
Contributor II

@bentoms the profile loads the certificate, but then we need to assign an Identity Profile against it, the command is easy enough

security set-identity-preference -s https://vpn.domainname.net/ -c "Common Name" /Users/$USERNAME/Library/Keychains/login.keychain

Where Common Name is the certificate common name, so Firstname Lastname.

But when scripted the Common Name part fails as I mentioned above. I think I will investigate if we can create the certs with standard common names like "company_name" so we ditch the space which I think is really causing the issue.

bentoms
Release Candidate Programs Tester

@dwest, gotcha.

You might be able to put the common name in quotes.

But, using the username might work.

charliwest
Contributor II

@bentoms got it sorted, incase this may help any others

# Get the current logged in user
consoleuser=`ls -l /dev/console | /usr/bin/cut -d " " -f 4`
# Get the current logged in full name, in this case that is the common name of our VPN certs
commonname=$(dscl . read /Users/$(ls -la /dev/console | cut -d " " -f 4) RealName |grep -v RealName |cut -c 2-)
#Add the Identity Preferance to the client certificate
/usr/bin/sudo -u $consoleuser security set-identity-preference -s "https://your.domain.name/" -c "$commonname"

bentoms
Release Candidate Programs Tester

@dwest, nice one!

Not applicable

@bentoms

how would you create a config. profile with a Certificate payload deploying the CA's certificate?