SCEP - Snow Leopard and Lion

jafuller
Contributor

We are looking into SCEP to provide machine certificates to Snow Leopard and Lion.

We are binding the computers to AD. So they have a machine account in AD.
We are looking to use Cisco AnyConnect for VPN and need machine certs to achieve that.

Can you provide any direction on the approach we can take? What we put in place we would like to be able to use with iOS as well. Obviously there is some translation needed, but that is the goal.

8 REPLIES 8

jafuller
Contributor

Configuring a .mobileconfig with the SCEP info, seems to do the trick on Lion. However, what I'm looking for now is a way to pass the challenge to the config to use when communicating with the SCEP server.

If any one has some hints on this, it sure would be helpful. Otherwise, I'll post what I come up with.

jafuller
Contributor

Part of the issues we're facing with this is that the "challenge" string is only valid for 60 minutes and is a one-time use. Therefore, once it is used on one computer it is no longer valid. Thus a new "challenge" is issued and needed to connect and receive a certificate.

We have been able to get to the point where certificates are being imported into the login keychain. Our remaining issue is that the certificate is still portable and can be exported even though the SCEP template is set to not allow exportablility.

Therefore, we started to test command line options. Using the command line we can take a .p12 file, import it to the login keychain and prevent exportability.

security import /path/to/cert.p12 -t agg -f pkcs12 -x -k login.keychan -P password

The "-x" is the key to prevent exporting of the certificate.

This is a good thing. Now all I need to do is be able to gather the "challenge", pass it through to the Lion profile, generate the cert to login, export the cert, delete it from login, import via command line with the non-exportable flag.

This has been a lot of fun and I haven't even begun to look at Snow Leopard.

nkalister
Valued Contributor

hey ja, have you checked to make sure the private key is not exportable? I'm working on a script that uses that command, and i'm finding that the key can still be exported even if the -x switch is used.

jafuller
Contributor

Nick,
We haven't experienced that. Can you explain how you're still able to export the private key when the cert is imported via security with the -x?

pwinkeler
New Contributor

jafuller: how did you build your mobileconfig with a SCEP payload?

jafuller
Contributor

@pwinkeler:
We used the iPhone Configuration Utility to test this prior to putting it into the JSS. Once we had a working config, we were able to copy those settings into a Configuration Profile in the JSS.

We have an internal MS SCEP instance that we're pointing to. All you need is the path to the mscep.dll. Once you have this, then you need the challenge and/or fingerprint to be able to communicate with the server to issue certificates. I believe the Subject field is also required as that is what the certificate will be named.

We're working with JAMF on an easier way to make this all work. We'll certainly post what we did once we're done.

Cem
Valued Contributor

@jafuller
Did you managed to get the hostname into CN by filling the Subject section of SCEP? What is the variable for that?
I also started this discussion...
https://jamfnation.jamfsoftware.com/discussion.html?id=4878

Cem
Valued Contributor

Ok! I think I will need to update my JSS from 8.43 to 8.52.
Jamf Support response....

We have the variable $COMPUTERNAME for use in Configuration Profiles, which will grab the computer name.  If you're interested in checking out the other variables that we can use in configuration profiles, there is a table on page 314 of the Casper Admin's guide:

http://www.jamfsoftware.com/libraries/pdf/products/documentation/Casper_Suite_8.5_Documentation.pdf