Jamf Nation Community

Microsoft Active Directory Certificate Services Certificate Authority, just saw an article about using Configuration Profiles to push them out, so this might be the way to go I think, but a little unsure, using that will import the cert into the keychain? I would then need to set the identity preference and it also needs a trusted cert for the issuing server.

We have self signed certs for our phone system, and use this to import it.. It's it a bit messy, but we don't have to change these certs very often.. I modified a loop someone wrote for cleaning the dock. To play with certs instead.

#!/bin/sh
CERTLIST=(“cert1.cer”,
“cert2.cer”,
“cert3.cer”,
)

for i in $certlist
do
CertName=`/bin/echo "$i" | /usr/bin/awk -F/ '{print $NF}' | /usr/bin/awk -F. '{print $1}'`

/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Library/Application Support/JAMF/certs "$i"
done

# Remove the certs from certs directory used in the import
rm -rf /Library/Application Support/JAMF/certs

exit 0

Cheers @bentoms getting there, the CA is there, but the AD cert is failing with "Unable to decrypt encrypted profile." looking into that now :)

@bentoms you ever had to assign an identity preference to the certificates? Have tried with a script, but as its run as root getting the common name is proving a real pain, tried $FULLNAME (as the common name is also the same as the users full name) but this fails with various errors Script result: security: No matching identity found for "" When I put the $FULLNAME in ""
Script result: security: No matching identity found for "$FULLNAME" When I put the $FULLNAME ''
Script result: security: No matching identity found for "/Users/myusername/Library/Keychains/login.keychain" When I put the $FULLNAME as it is

Any ideas?

@dwest, we only user computer level.

But try a user level profile & the variable $USERNAME.

Page 258 of the admin guide for 9.2 has a list of the variables you can use in config profiles.

http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.2-Administrators-G...

Thanks @bentoms but its the common name of the script variable we need, which is the same as the FULLNAME, I will have to see if I can change this common name to something else. Thanks for looking :)

@dwest, sorry missed the bit where your using a script.

Did profiles not work?

I guess you need to the username of the logged in user then.

Something like the below could be adapted;

# Get the username of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

@bentoms the profile loads the certificate, but then we need to assign an Identity Profile against it, the command is easy enough

security set-identity-preference -s https://vpn.domainname.net/ -c "Common Name" /Users/$USERNAME/Library/Keychains/login.keychain

Where Common Name is the certificate common name, so Firstname Lastname.

But when scripted the Common Name part fails as I mentioned above. I think I will investigate if we can create the certs with standard common names like "company_name" so we ditch the space which I think is really causing the issue.

@dwest, gotcha.

You might be able to put the common name in quotes.

But, using the username might work.

@dwest, nice one!