Installing a certificate on MacOS with trust + one other question

ralvarezOES
Contributor

All,
I'd like to install our wireless certificate on a group of managed Macbooks. The certificate is a valid third-party certificate and is required to connect to our 802.1x wi-fi. I'd also like to set the trust settings so the user doesn't get prompted (The users will not be admins on the machine so they can't trust the cert.)

I tried using Configuration profiles in JAMF and deliver the certificate, the intermediate, and the root. that works, but the user gets prompted each time they connect as the trust settings are default.

I found some articles on this site suggesting to do this task with a Composer package instead and using the 'add-trusted-cert' command.

My question is:
1. Is using a package still the best way to install a certificate with trust? Or is there a better way. I've never used Composer so I'll have to gain some skills.
2. Is this normal behavior for a Mac to not trust a trusted third-party certificate? I've always thought this was odd as we are already using this certificate for our BYOD Wi-Fi and users (who own their device and have admin rights) get prompted to change the trust setting when they first connect.

Thanks.

1 ACCEPTED SOLUTION

ralvarezOES
Contributor

So I ended up using a script with cURL and applied it in policy. Works great.

View solution in original post

11 REPLIES 11

khey
Contributor

make sure in your network payload - Trust - under trusted certificates - tick your intermediate, root etc.

obviously, before you do this, you need to also have the certificate payload with your certificate chain

mschroder
Valued Contributor

We download the certificate with 'curl ...', and then install it with '/usr/bin/security add-trusted-cert ...'.

sam_g
Contributor
Contributor

Is the root cert part of the default trust store (is there a copy of it in the System keychain folder)? If so, all you should need to deploy via a config profile is the cert...the rest should take care of itself.

ralvarezOES
Contributor
make sure in your network payload - Trust - under trusted certificates - tick your intermediate, root etc. obviously, before you do this, you need to also have the certificate payload with your certificate chain

Thanks for all the replies. I tried this and it's working, but the problem I'm having is the Wi-Fi Network name gets put on the bottom of the Wi-Fi list on the computer. That won't work in my environment because I want these users to use the Wi-Fi I'm adding by default.

ralvarezOES
Contributor
Is the root cert part of the default trust store (is there a copy of it in the System keychain folder)? If so, all you should need to deploy via a config profile is the cert...the rest should take care of itself.

I noticed that, the certificates I'm installing (cert, int, and root) via Configuration profiles are all going into the system container. It's a Digicert RapidSSL and it's not in the root by default. I tried to manually add it and got a message that you can't add root certs you can only change trust levels.

ralvarezOES
Contributor
We download the certificate with 'curl ...', and then install it with '/usr/bin/security add-trusted-cert ...'.

I tried this manually. I logged in to the Macbook as an admin. Added the certificate and trusted it. I logged back in as a standard user and was able to connect to the Wi-Fi perfectly.
I'm just going to have to get some more skills, as I've never made a package.

ralvarezOES
Contributor

So I ended up using a script with cURL and applied it in policy. Works great.

khey
Contributor

i would rather download the certificate and upload it to jamf as part of the certificate payload than curl.

tomt
Valued Contributor

I'm working with this and wondering why I can't set trust settings right in the Certificate Payload section? That seems like the best place for it.

Chrisway
New Contributor

Is this the only way to trust the certificate on Mac OS (using a script), other than actually pushing out a Wireless Payload? (which I dont want to do)

justm174
New Contributor III

Can anyone share the script to do this. Im having some trouble with Compose