Keychain Access: Search Directory Services for Certificates

Valued Contributor II

Can Macs get Root CA certificates installed from Active Directory?

I just noticed an option in the Keychain Access app “Search Directory Services for Certificates”. Never noticed this option before. Can someone expand on what this checkbox does?

In the past, I have deployed our certs via custom .pkgs & scripts through JAMF policies (and even ARD back in the day).

Like most environments, certificates are commonly required for our services such as Intranet site(s), 802.1x, Wi-Fi, etc.

I dug around in the man page for /usr/bin/security and I dont see any commands that are applicable.



Legendary Contributor III

I don't know too much about this feature, but my understanding is its used mostly for obtaining communication related certificates, like for secure email, from a directory service (AD, OD, etc)
I doubt you could use it to install a Root CA to a Mac. This page from Apple has no mention of it being used for that purpose, and in fact states that a CA signing certificate must already be installed first for the feature to work at all.

As for installing certs, I would also look at Configuration Profiles these days, if your JSS and Macs are configured to use them. I just started doing this and its really pretty easy and reliable. Much better than using workarounds like deploying the cert in a pkg and installing in a postinstall script, IMO anyway.