Help

Help Understanding Root and Intermediate Certificate Deployment

Go to solution
jpsalamat
New Contributor II

Posted on β€Ž07-08-2020 01:08 PM

I'm charged with standing up Jamf Pro on-prem and I need help understanding how internal Root and Intermediate certificates get deployed. Do these certificates have to be manually uploaded to Jamf Pro then distributed via configuration profile, or is there a way to do it via the AD CS connector?

Thanks for the help.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
jpsalamat
New Contributor II

Posted on β€Ž07-10-2020 12:23 PM

I received the OK to upload the root and intermediates to the Jamf Pro server and deploy them via configuration profile.

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
dan-snelson
Valued Contributor II

Posted on β€Ž07-09-2020 04:57 AM

@jpsalamat Another option is to create a package which installs the certificates to a temporary directory then use a post-install script to trust each certificate:

###
# Certificate Functions
###

function deleteCert(){
    certName="$1"
    SHA1="$2"
    /usr/bin/security delete-certificate -Z "${SHA1}" /Library/Keychains/System.keychain
    echo "* Deleted ${certName} with SHA-1 hash: ${SHA1}"
    /bin/sleep 1    
}



function trustRootCert(){
    certName="$1"
    if [ -f /your/temporary/path/goes/here/"${certName}" ]; then
        /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /your/temporary/path/goes/here/"${certName}"
        echo "* Installed ${certName}"
    else
        echo "* Error: ${certName} not found in: /your/temporary/path/goes/here/"
    fi
    /bin/sleep 1
}



function trustCertAsRoot(){
    certName="$1"
    if [ -f /your/temporary/path/goes/here/"${certName}" ]; then
        /usr/bin/security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /your/temporary/path/goes/here/"${certName}"
        echo "* Installed ${certName}"
    else
        echo "* Error: ${certName} not found in: /your/temporary/path/goes/here/"
    fi
    /bin/sleep 1
}

(NOTE: I have noticed this approach is throwing a new dialog in macOS Big Sur.)


--
Dan
0 Kudos

Go to solution
jpsalamat
New Contributor II

Posted on β€Ž07-09-2020 05:44 AM

Thanks, @dan-snelson, that may prove useful. In your suggestion, it sounds like I need to export the certs then upload them to Jamf to then be deployed. Am I correct? This is where I'm lacking understanding. Is it possible for Jamf to request the root and intermediates via the AD CS connector and PKI? My company's security team prefers a request versus a manual export then deployment.

0 Kudos

Go to solution
jpsalamat
New Contributor II

Posted on β€Ž07-10-2020 12:23 PM

I received the OK to upload the root and intermediates to the Jamf Pro server and deploy them via configuration profile.

0 Kudos

Go to solution
morsepacific
New Contributor III

Posted on β€Ž08-06-2020 11:30 AM

@jpsalamat I've just done this myself; they are both marked as non-exportable, and I have set passwords on them in the configuration profile, but they can be exported / copied and imported onto another machine with no issue. Have you configured your profile in a way that prevents this ?

0 Kudos

Go to solution
morsepacific
New Contributor III

Posted on β€Ž08-06-2020 04:27 PM

Nevermind; protecting them with a password doesn't prevent export, but they can't be imported on another machine, which is good enough.

0 Kudos

Go to solution
azloit
New Contributor

Posted on β€Ž10-26-2020 12:22 PM

Whats the difference here between 'trustRoot' and 'trustAsRoot'?

0 Kudos