Help

How to set PKI Certificates from AD CS Connector as Trusted

gregbr
New Contributor II

Posted on ‎08-27-2021 11:42 AM

We have setup the Jamf AD CS Connector to allow for machine-specific certificates to be deployed to our Macs via a Configuration Profile.  This works fine, except for the machine certificate is not trusted.  A user would have to go into the Keychain and manually set Always Trust.  Is there any way to have the certificate be trusted, or trust it after it has been installed?  Each certificate from the PKI will be a unique name (same as the machine name).

Reply
11 REPLIES 11

sdagley
Esteemed Contributor II

Posted on ‎08-27-2021 06:42 PM

@gregbr Does the certificate you are deploying have the full trust chain embedded? We're not using the AD CS connector, but with the Venafi integration issuing a certificate via configuration profile includes user certificate as well as the intermediate and root certificates, and we don't have to modify the trust settings in the keychain.

0 Kudos
Reply

dlondon
Valued Contributor

‎08-30-2021 01:36 AM - edited ‎08-30-2021 01:39 AM

You also need to deploy the AD root and ICA certificates.  You should be able to include them in the same Configuration Profile

If you are using this for 802.1x then there are some settings under network for Trust where you can probably get away with not having the root and ICA certs but I threw them in anyway

0 Kudos
Reply

Neal2
New Contributor

‎08-30-2021 02:04 AM - edited ‎08-31-2021 02:12 AM

 So let's take a quick look at how to install the ADCS Connector, and some ... Settings > Global Management > PKI > Certificate Authorities.
 
0 Kudos
Reply

gregbr
New Contributor II

Posted on ‎08-30-2021 07:05 AM

I have included the internal root CA certificate and the issuing CA cert.  Unfortunately, this did not make a difference.  The machine PKI cert is valid, but it is not set to Always Trust.

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to gregbr

Posted on ‎08-30-2021 08:30 AM

@gregbr If the Root CA for the machine PKI cert trust chain is set to Always Trust then the PKI cert should be trusted

0 Kudos
Reply

gregbr
New Contributor II
In response to sdagley

Posted on ‎08-30-2021 08:32 AM

The Root CA is set to Always Trust.  The PKI cert is not trusted, however, when deployed.

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to gregbr

Posted on ‎08-30-2021 10:38 AM

@gregbr Are you saying the PKI cert is showing in Keychain Access as "When using this certificate: Never Trust"? Or is it showing as "When using this certificate: Use System Defaults"? The latter is normal, and conveys trust in the certificate if the Root CA is set to Always Trust.

0 Kudos
Reply

gregbr
New Contributor II
In response to sdagley

Posted on ‎12-06-2021 08:57 AM

It is set to Use System Defaults.    Along the top, in red, it shows certificate is not trusted.  The Issuing and Internal Root CA certificates show as Always Trust and appear OK.

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to gregbr

Posted on ‎12-07-2021 08:57 AM

@gregbr What is the signature algorithm for that certificate?

0 Kudos
Reply

gregbr
New Contributor II
In response to sdagley

Posted on ‎12-07-2021 09:46 AM

SHA-256 for the new certificate we are attempting to deploy.  We have some older certs in our environment that were on SHA-1, so we have both SHA-1 and SHA-256 versions of the Issuing CA and Internal Root CA certificates deployed.

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to gregbr

Posted on ‎12-07-2021 10:16 AM

SHA-256 should be fine, and unfortunately with that I'm out of ideas for simple fixes since your issuing and Root CAs are showing as Always Trusted. I asked about the signature algorithm because of a past post regarding with a cert not being trusted due to one of the newer elliptical curve signatures which caused a problem. 

0 Kudos
Reply