Posted on 08-13-2012 07:17 AM
We are using config profiles to distribute user certs to grant access to our WiFi network and VPN.
Its working great, however even a semi-savvy user can export the cert from the keychain and put that cert on an non-authorized computer.
Is there a way to retract users from exporting scripts or make the script non-exportable?
Posted on 08-13-2012 08:32 AM
if you're installing with a mobileconfig profile, then there really isn't.
the security command's -x switch can protect your private key in most configurations, but there's no way to use that in conjunction with a mobileconfig profile that contains a cert.
I submitted the ability to protect private keys when installing certs using mobileconfig profiles to apple as a feature request under lion, I'd suggest you do the same!
Posted on 08-13-2012 09:43 AM
security import -h
Usage: import inputfile [-k keychain] [-t type] [-f format] [-w] [-P passphrase] [options...]
-k Target keychain to import into
-t Type = pub|priv|session|cert|agg
-f Format = openssl|openssh1|openssh2|bsafe|raw|pkcs7|pkcs8|pkcs12|netscape|pemseq
-w Specify that private keys are wrapped and must be unwrapped on import
-x Specify that private keys are non-extractable after being imported
-P Specify wrapping passphrase immediately (default is secure passphrase via GUI)
-a Specify name and value of extended attribute (can be used multiple times)
-A Allow any application to access the imported key without warning (insecure, not recommended!)
-T Specify an application which may access the imported key (multiple -T options are allowed)
security import /Path/to/P12File -k /Library/Keychains/System.keychain -f pkcs12 -x
Posted on 01-22-2018 03:59 AM
Is this still a problem for most people? If not, how did you resolve it?
Posted on 01-24-2018 10:36 AM
If you can please open a ticket with Apple the KeyChain app is not recognizing the do not export flag.
Posted on 07-19-2018 12:46 PM
Yes, this is still a major security issue. Any Cert deployed via Config Profile to a macOS 10.13 machine can be exported and importing into any other macOS machine; the only requisite is for the user to be Admin on both machines. This ignorance here is not the Export function, but the ability to IMPORT a Cert into another machine
Posted on 07-19-2018 02:29 PM
You have to set up a profile to not allow cert export in High Sierra ... My profile is custom so I can't real it, but it's something like