We have setup the Jamf AD CS Connector to allow for machine-specific certificates to be deployed to our Macs via a Configuration Profile. This works fine, except for the machine certificate is not trusted. A user would have to go into the Keychain and manually set Always Trust. Is there any way to have the certificate be trusted, or trust it after it has been installed? Each certificate from the PKI will be a unique name (same as the machine name).
@gregbr Does the certificate you are deploying have the full trust chain embedded? We're not using the AD CS connector, but with the Venafi integration issuing a certificate via configuration profile includes user certificate as well as the intermediate and root certificates, and we don't have to modify the trust settings in the keychain.
You also need to deploy the AD root and ICA certificates. You should be able to include them in the same Configuration Profile
If you are using this for 802.1x then there are some settings under network for Trust where you can probably get away with not having the root and ICA certs but I threw them in anyway
SHA-256 should be fine, and unfortunately with that I'm out of ideas for simple fixes since your issuing and Root CAs are showing as Always Trusted. I asked about the signature algorithm because of a past post regarding with a cert not being trusted due to one of the newer elliptical curve signatures which caused a problem.