How to set PKI Certificates from AD CS Connector as Trusted

gregbr
New Contributor II

We have setup the Jamf AD CS Connector to allow for machine-specific certificates to be deployed to our Macs via a Configuration Profile.  This works fine, except for the machine certificate is not trusted.  A user would have to go into the Keychain and manually set Always Trust.  Is there any way to have the certificate be trusted, or trust it after it has been installed?  Each certificate from the PKI will be a unique name (same as the machine name).

11 REPLIES 11

sdagley
Honored Contributor II

@gregbr Does the certificate you are deploying have the full trust chain embedded? We're not using the AD CS connector, but with the Venafi integration issuing a certificate via configuration profile includes user certificate as well as the intermediate and root certificates, and we don't have to modify the trust settings in the keychain.

dlondon
Valued Contributor

You also need to deploy the AD root and ICA certificates.  You should be able to include them in the same Configuration Profile

If you are using this for 802.1x then there are some settings under network for Trust where you can probably get away with not having the root and ICA certs but I threw them in anyway

Neal2
New Contributor
 So let's take a quick look at how to install the ADCS Connector, and some ... Settings > Global Management > PKI > Certificate Authorities.
 

gregbr
New Contributor II

I have included the internal root CA certificate and the issuing CA cert.  Unfortunately, this did not make a difference.  The machine PKI cert is valid, but it is not set to Always Trust.

sdagley
Honored Contributor II

@gregbr If the Root CA for the machine PKI cert trust chain is set to Always Trust then the PKI cert should be trusted

gregbr
New Contributor II

The Root CA is set to Always Trust.  The PKI cert is not trusted, however, when deployed.

sdagley
Honored Contributor II

@gregbr Are you saying the PKI cert is showing in Keychain Access as "When using this certificate: Never Trust"? Or is it showing as "When using this certificate: Use System Defaults"? The latter is normal, and conveys trust in the certificate if the Root CA is set to Always Trust.

gregbr
New Contributor II

It is set to Use System Defaults.    Along the top, in red, it shows certificate is not trusted.  The Issuing and Internal Root CA certificates show as Always Trust and appear OK.

sdagley
Honored Contributor II

@gregbr What is the signature algorithm for that certificate?

gregbr
New Contributor II

SHA-256 for the new certificate we are attempting to deploy.  We have some older certs in our environment that were on SHA-1, so we have both SHA-1 and SHA-256 versions of the Issuing CA and Internal Root CA certificates deployed.

sdagley
Honored Contributor II

SHA-256 should be fine, and unfortunately with that I'm out of ideas for simple fixes since your issuing and Root CAs are showing as Always Trusted. I asked about the signature algorithm because of a past post regarding with a cert not being trusted due to one of the newer elliptical curve signatures which caused a problem.