Pros and cons of managing certificates via profiles VS packages?

dstranathan
Valued Contributor II

Currently, I deploy my root and intermediate certificates to my managed Macs using packages that stage the certs into /tmp and then import and trust the certs in the System Keychain with postinstall scripts. This has worked well over the years.

However, I'm wondering if this methodology is getting old-fashioned.

-What are the pros and cons of managing certificates via profiles VS packages?

-Are certificates that are installed via profile automatically trusted by the target Mac? My testing seems to get mixed results.

-If a certificate is installed via a profile but later needs to be removed from the target Mac (i.e.; the profile is unscoped/edited etc), is the actual certificate removed from the target Mac’s System Keychain? Or does removal require additional steps (scripts etc) to remove it?

6 REPLIES 6

sdagley
Honored Contributor II

@dstranathan Installing a root cert, or a cert issued by a trusted root, via Profile at the System level should automatically make the cert trusted.

Removing the profile should remove the certs it installed. I've got developer types that seem to have a knack for finding new ways to muck up the trust on my org's root cert. Removing and re-installing the profile for that cert is my repair mechanism. That's a +1 for profiles over packages because without my org's root cert working my public DP isn't accessible

patgmac
Contributor III

Big Sur no longer allows trusting of root CA's without a user entering their password. So using packages/scripts to install certs to the System keychain no longer works unless you do it with a logged in user and that user enters their password. The supported method is to use certificates, but as we all know, that doesn't fully trust those certs which is why you were probably using a script.

File bugs with Apple if you're finding that your certs are not fully trusted when installed via profiles.

dstranathan
Valued Contributor II

I did some quick mock-ups and I can verify this.

My Big Sur test Macs got both Root and Intermediate in System Keychain and they were both trusted automatically. Thanks for the heads-up @patgmac .

I did notice something odd: When I push the same cert profile to my 10.15 Catalina Macs, the Root certs gets trusted automatically but the Intermediate cert is set to "Use System Defaults". Is this expected?

What happens to my existing Macs that have the AD certs already if I switch to a profile (i.e. the target Macs get the same certs again)? Do I need to have a policy/script to remove them first and then push again via a profile? OR can the same cert peacefully exist twice in the System Keychain? OR perhaps I need to get creative with my Smart Group scopes to make sure only Macs with no certs are targeted to get them?

patgmac
Contributor III

@dstranathan Confirmed here as well. Big Sur has those certs fully trusted when delivered via MDM. So perhaps Apple fixed this since we're no longer able to use scripts.

I've always seen "Use system defaults" with Catalina and lower, which is why I was using a script/package. So I guess I'll continue to use that script/package under Catalina and earlier, and just profile on Big Sur.

My system that was upgraded to Big Sur still has the certs trusted. So like most things that require user permission, they seem to get grandfathered from the install under Catalina.

dstranathan
Valued Contributor II

@patgmac Curious - How many cert payloads do you put in a single profile?

I tend to be a "one-payload-per-profile" kind of guy. (1 Root profile, and 1 intermediate profile here) That way I have more flexibility at the cost of more profiles to manage.

How about you?

patgmac
Contributor III

@dstranathan One payload, 12 certs. We include proxy certs as well and stuff like that.