- Jamf Nation Community
- Products
- Jamf Pro
- Import Root and Intermediate Certs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Import Root and Intermediate Certs
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-23-2012 05:01 PM
I revised the script importCACert.sh from the JAMF Resource Kit in order to build a package that installed both the Root and Intermediate Certs, and always trusted the root.
```
!/bin/sh
I left out the top end of Nick's Script
########################################################################################
# DEFINE VARIABLES & READ IN PARAMETERS
########################################################################################
HARDCODED VALUES ARE SET HERE
caCertLocation="/Library/Application Support/JAMF/YourRoot.cer" #Example: "/Library/Application Support/JAMF/CompanyCA.pem"
edited by lsachs to add intermediate cert#
caIntCertLocation="/Library/Application Support/JAMF/YourIntermediate.cer" #Example: "/Library/Application Support/JAMF/CompanyCA.pem"
CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "caCertLocation"
if [ "$4" != "" ] && [ "$caCertLocation" == "" ];then
caCertLocation=$4
fi
CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 5 AND, IF SO, ASSIGN TO "caIntCertLocation"
if [ "$5" != "" ] && [ "$caIntCertLocation" == "" ];then
caIntCertLocation=$5
fi
########################################################################################
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
########################################################################################
OS=/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'
if [ "$caCertLocation" == "" ] || [ ! -f "$caCertLocation" ]; then
echo "Error: No value was specified for the caCertLocation variable or the file does not exist. Please specify a value for the variable or ensure that you are running this script after installing the certificate."
exit 1
fi
if [[ "$OS" < "10.5" ]]; then
echo "Importing CA Cert..."
/usr/bin/certtool i "$caCertLocation" v k=/System/Library/Keychains/X509Anchors
else
echo "Importing CA Cert..."
/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$caCertLocation"
fi
new section for intermediate cert####
if [ "$caIntCertLocation" == "" ] || [ ! -f "$caIntCertLocation" ]; then
echo "Error: No value was specified for the caIntCertLocation variable or the file does not exist. Please specify a value for the variable or ensure that you are running this script after installing the certificate."
exit 1
fi
if [[ "$OS" < "10.5" ]]; then
echo "Importing CA Cert..."
/usr/bin/certtool i "$caIntCertLocation" v k=/System/Library/Keychains/X509Anchors
else
echo "Importing CA Intermediate Cert…"
/usr/bin/security add-trusted-cert -d -r unspecified -k /Library/Keychains/System.keychain "$caIntCertLocation"
fi
```
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2012 01:45 PM
Thanks for sharing. Your script worked for me with our Internal Root CA and Internal Issuing CA. The use of "unspecified" was the trick I needed.
Jason
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2012 02:35 PM
Is an unspecified trust setting the desired result?
If you want the intermediate to be trusted, use trustAsRoot instead of unspecified.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2012 08:12 PM
I am stumbling a bit in this area. I had used "trustRoot" for the Internal Issuing CA and that wasn't working correctly. I see in the man for security there is trustRoot and trustAsRoot. I'll look up the meaning and I'll give that a try tomorrow.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2012 05:10 AM
@Nick
I hope you're not suggesting to explicitly trust your Intermediate certificate...
@Jason
I believe you want TrustAsRoot
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2012 05:14 AM
Hi Jared,
I got an e-mail about your reply before it was edited :P
We trust our internal root ca cert, we then have an intermediary for out MS Lync Server.. unless i implicity trust this lync cert for SSL the client will not connect.
Whoever, the root ca is fully trusted.. so i'm guessing something is wrong??
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2012 05:32 AM
Hi Ben-
So you saw my self editing in-process. Thought it was a little "throat jump down-y" so I walked it back.
So yeah as my original reply stated, you never want to trust an intermediate cert. Question though, you have an intermediate cert for your Lync server? Wouldn't you have a server cert? Or, do you mean that the Lync server cert was issued by your intermediate?
Let's get a look at what your certificate chain is first before we all get confused.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2012 05:35 AM
yep ignore me & sorry OP for thread stealing.. i need to check what it is i'm seeing & get the right terminology before i ask the question in my own thread..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2012 05:43 AM
Ben hit me off list.
jared dot nichols at fmr dot com
