Help

Push Wireless network Certificate and set EAP and x.509 Basic Policy to Always Trust

rnoureddine
New Contributor III

Posted on ‎07-17-2024 11:42 AM

I'm trying to push Certificate and set EAP and x.509 Basic Policy to Always Trust. I tried installing the cert and then modifying the settings, exporting the cert, then add it to a config profile but when deploying it, the settings never stick.

I also tried to push it via policy with PostInstall script: 

security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer" srm "/private/tmp/certs/certname.cer"

Also tried : security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer" srm "/private/tmp/certs/certname.cer"

All with no luck. Has anyone tried this or maybe have the knowledge to help?

 

Thanks

0 Kudos
Reply
5 REPLIES 5

AJPinto
Honored Contributor III

Posted on ‎07-17-2024 12:30 PM

You need to push the certificate with a Configuration Profile and set it to be available to all applications. Apple retired the ability to force trust a certificate in CLI with macOS 11. Basically -k does nothing anymore.

Reply

howie_isaacks
Valued Contributor II
In response to AJPinto

Posted on ‎07-19-2024 10:24 AM

The method @AJPinto describes is the way we do ours. Our WiFi and Global Protect both use certificate based authentication. We distribute the certificates in a separate profile, specifically, the "auth" certificates. In the WiFi profile, we select this auth certificate in the Trust section.

0 Kudos
Reply

Reboot2611
New Contributor

Posted on ‎07-22-2024 07:10 AM

Hi @AJPinto In my environment I have deployed the certificate with Configuration Profile and set it to be available to all applications.Only the root certificate is deployed as Always Trust. The intermediate & leaf certificate is deployed as Use System Defaults so users are being prompted to Trust the certificate when they join the WIFI network. Am I missing something or how can I make sure the users are not prompted? Thanks 

0 Kudos
Reply

AJPinto
Honored Contributor III
In response to Reboot2611

‎07-22-2024 07:13 AM - edited ‎07-22-2024 07:16 AM

If the user is manually selecting the network, I would wager they are having to tell macOS which certificate the need network needs and not necessarily trusting the certificate. The only method I can think of for totally hands off is to have the Wi-Fi network configured with a Configuration Profile where you specify the Certificate the network needs.

0 Kudos
Reply

Reboot2611
New Contributor
In response to AJPinto

Posted on ‎07-22-2024 07:21 AM

Thanks for your reply. I can give this a try and deploy the WIFI settings and Certificates in one config profile

0 Kudos
Reply