How to set PKI Certificates from AD CS Connector as Trusted

gregbr
New Contributor II

We have setup the Jamf AD CS Connector to allow for machine-specific certificates to be deployed to our Macs via a Configuration Profile.  This works fine, except for the machine certificate is not trusted.  A user would have to go into the Keychain and manually set Always Trust.  Is there any way to have the certificate be trusted, or trust it after it has been installed?  Each certificate from the PKI will be a unique name (same as the machine name).

7 REPLIES 7

sdagley
Honored Contributor II

@gregbr Does the certificate you are deploying have the full trust chain embedded? We're not using the AD CS connector, but with the Venafi integration issuing a certificate via configuration profile includes user certificate as well as the intermediate and root certificates, and we don't have to modify the trust settings in the keychain.

dlondon
Valued Contributor

You also need to deploy the AD root and ICA certificates.  You should be able to include them in the same Configuration Profile

If you are using this for 802.1x then there are some settings under network for Trust where you can probably get away with not having the root and ICA certs but I threw them in anyway

Neal2
New Contributor
 So let's take a quick look at how to install the ADCS Connector, and some ... Settings > Global Management > PKI > Certificate Authorities.
 

gregbr
New Contributor II

I have included the internal root CA certificate and the issuing CA cert.  Unfortunately, this did not make a difference.  The machine PKI cert is valid, but it is not set to Always Trust.

sdagley
Honored Contributor II

@gregbr If the Root CA for the machine PKI cert trust chain is set to Always Trust then the PKI cert should be trusted

gregbr
New Contributor II

The Root CA is set to Always Trust.  The PKI cert is not trusted, however, when deployed.

sdagley
Honored Contributor II

@gregbr Are you saying the PKI cert is showing in Keychain Access as "When using this certificate: Never Trust"? Or is it showing as "When using this certificate: Use System Defaults"? The latter is normal, and conveys trust in the certificate if the Root CA is set to Always Trust.