Prevent Cert Exports?

AdamH
New Contributor II

We are using config profiles to distribute user certs to grant access to our WiFi network and VPN.
Its working great, however even a semi-savvy user can export the cert from the keychain and put that cert on an non-authorized computer.
Is there a way to retract users from exporting scripts or make the script non-exportable?

6 REPLIES 6

nkalister
Valued Contributor

if you're installing with a mobileconfig profile, then there really isn't.
the security command's -x switch can protect your private key in most configurations, but there's no way to use that in conjunction with a mobileconfig profile that contains a cert.
I submitted the ability to protect private keys when installing certs using mobileconfig profiles to apple as a feature request under lion, I'd suggest you do the same!

jhbush
Valued Contributor II

security import -h

Usage: import inputfile [-k keychain] [-t type] [-f format] [-w] [-P passphrase] [options...]

-k Target keychain to import into

-t Type = pub|priv|session|cert|agg

-f Format = openssl|openssh1|openssh2|bsafe|raw|pkcs7|pkcs8|pkcs12|netscape|pemseq

-w Specify that private keys are wrapped and must be unwrapped on import

-x Specify that private keys are non-extractable after being imported

-P Specify wrapping passphrase immediately (default is secure passphrase via GUI)

-a Specify name and value of extended attribute (can be used multiple times)

-A Allow any application to access the imported key without warning (insecure, not recommended!)

-T Specify an application which may access the imported key (multiple -T options are allowed)

Example...

security import /Path/to/P12File -k /Library/Keychains/System.keychain -f pkcs12 -x

jimmy-swings
Contributor II

Is this still a problem for most people? If not, how did you resolve it?

gachowski
Valued Contributor II

If you can please open a ticket with Apple the KeyChain app is not recognizing the do not export flag.

C

cdinsight
New Contributor II

Yes, this is still a major security issue. Any Cert deployed via Config Profile to a macOS 10.13 machine can be exported and importing into any other macOS machine; the only requisite is for the user to be Admin on both machines. This ignorance here is not the Export function, but the ability to IMPORT a Cert into another machine without prompting for the Cert's Password.

gachowski
Valued Contributor II

You have to set up a profile to not allow cert export in High Sierra ... My profile is custom so I can't real it, but it's something like

KeysNonExtractableByDefault

C