Help Understanding Root and Intermediate Certificate Deployment

jpsalamat
New Contributor II

I'm charged with standing up Jamf Pro on-prem and I need help understanding how internal Root and Intermediate certificates get deployed. Do these certificates have to be manually uploaded to Jamf Pro then distributed via configuration profile, or is there a way to do it via the AD CS connector?

Thanks for the help.

1 ACCEPTED SOLUTION

jpsalamat
New Contributor II

I received the OK to upload the root and intermediates to the Jamf Pro server and deploy them via configuration profile.

View solution in original post

6 REPLIES 6

dan-snelson
Valued Contributor II

@jpsalamat Another option is to create a package which installs the certificates to a temporary directory then use a post-install script to trust each certificate:

###
# Certificate Functions
###

function deleteCert(){
    certName="$1"
    SHA1="$2"
    /usr/bin/security delete-certificate -Z "${SHA1}" /Library/Keychains/System.keychain
    echo "* Deleted ${certName} with SHA-1 hash: ${SHA1}"
    /bin/sleep 1    
}



function trustRootCert(){
    certName="$1"
    if [ -f /your/temporary/path/goes/here/"${certName}" ]; then
        /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /your/temporary/path/goes/here/"${certName}"
        echo "* Installed ${certName}"
    else
        echo "* Error: ${certName} not found in: /your/temporary/path/goes/here/"
    fi
    /bin/sleep 1
}



function trustCertAsRoot(){
    certName="$1"
    if [ -f /your/temporary/path/goes/here/"${certName}" ]; then
        /usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /your/temporary/path/goes/here/"${certName}"
        echo "* Installed ${certName}"
    else
        echo "* Error: ${certName} not found in: /your/temporary/path/goes/here/"
    fi
    /bin/sleep 1
}

(NOTE: I have noticed this approach is throwing a new dialog in macOS Big Sur.)

jpsalamat
New Contributor II

Thanks, @dan-snelson, that may prove useful. In your suggestion, it sounds like I need to export the certs then upload them to Jamf to then be deployed. Am I correct? This is where I'm lacking understanding. Is it possible for Jamf to request the root and intermediates via the AD CS connector and PKI? My company's security team prefers a request versus a manual export then deployment.

jpsalamat
New Contributor II

I received the OK to upload the root and intermediates to the Jamf Pro server and deploy them via configuration profile.

morsepacific
New Contributor III

@jpsalamat I've just done this myself; they are both marked as non-exportable, and I have set passwords on them in the configuration profile, but they can be exported / copied and imported onto another machine with no issue. Have you configured your profile in a way that prevents this ?

morsepacific
New Contributor III

Nevermind; protecting them with a password doesn't prevent export, but they can't be imported on another machine, which is good enough.

azloit
New Contributor

Whats the difference here between 'trustRoot' and 'trustAsRoot'?