How to protect 802.1x certificates from being exported and used on another device?

merber
New Contributor II

Hi,

We use 802.1x certificates to connect our Macs (10.12) to our WiFi network. Although there is no user information in the certificate (just the workstation name), we store them in the user's login keychain. Works well so far, however, we want to protect the certificates from being exported and used on another (not entitled) device.

We tried to store the certificate in the system keychain instead of the user's login keychain. But it turned out that the user is asked for admin credentials whenever he tries to connect to the WiFi network, so that is not a useable solution.

Is there any best practice how to handle 802.1x WiFi certificates?

Thanks
bye
Marcus.

3 REPLIES 3

al_platt
Contributor II

If you're using the AD cert template in the JSS there's a tick box to allow/not allow exporting from the keychain.

If it's not ticked then you can't export.

Al

merber
New Contributor II

Hi,

We don't plan to bind the Macs to AD, so we have an independent CA issuing the certificates. Can I use the AD cert template for any certificate?

Marcus.

jrserapio
Contributor

+1 on Marcus' question