Jamf Nation Community

johnsonjj · ‎04-02-2015

Hello,

I'm hoping someone can help me troubleshoot a certificate verification issue. We are using Casper to request a workstation certificate from our internal Windows CA. The cert gets installed with the proper machine name, the Root and SubCA certs are installed. But the machine cert has the error of 'This certificate could not be verified. The exact same cert template is installed and working on our windows computers. All of the Macs we are running are AD joined, OS 10.12. Discussions such as https://jamfnation.jamfsoftware.com/article.html?id=209 were helpful to build the request profile but I'm not finding anyone with the issue we're running into.

Any help or feed back is appreciated.

maxbehr · ‎04-02-2015

@johnsonj I've not attempted what you are doing but does the process of getting the certificates from the internal windows CA also add the Internal windows CA root to the system keychain and force it to be trusted. I had problems with smart card login and realized that our internal CA cert was not in the system keychain. Once I added that cert and forced it to be trusted then smart card auth worked. I wonder if you need to prepopulate the internal root cert on your mac's first (I do it by the security command line tool)

bentoms · ‎04-03-2015

@johnsonjj Sounds likes like the name of the template in the AD Certificate profile is wrong.

The Computer templates name is actually Machine, you can get this from the Certificate Templates MMC.

In regards to deploying the root CA, I'd use a profile (@maxbehr)

johnsonjj · ‎04-03-2015

Thank you @maxbehr and @bentoms for your responses. The RootCA and the issuing RootCA are both in the System keychain and show as being trusted for my account. I have them being added in the same profile as the Machine cert.

Does the requested template name have to be Machine? That isn't a default template name on the CA. We've tried changing it around and as long as the template name doesn't contain spaces the cert gets installed, just not verified.

bentoms · ‎04-03-2015

@johnsonjj it doesn't have to be "machine" but it does have to be the templates name, this can differ.

Also, it's worth checking the permissions on the template.

GaToRAiD · ‎04-03-2015

@johnsonjj I ran into this issue a while back, I just happened to have an apple guy on site when I ran into this issue, he told me that after 10.9, apple put in a little security message that would break what you are trying to do. So to fix it, you would need to run this little code if OS > 10.8

#!/bin/sh
defaults write /Library/Preferences/com.apple.MCX ADCertAuthLevel connect ;killall Finder

bentoms · ‎04-03-2015

@GaToRAiD odd, we've not had to do that & have been deploying AD Certs since 10.7+.

johnsonjj · ‎04-07-2015

@GaToRAiD I tried your command but the cert is still not verified. What does the command do?

@bentoms Do you have Basic Constraints set on your root CA? I don't have it specified (none) which doesn't seem to bother the windows machines but drilling into the non validated cert reports an error of certificate status: invalid baseConstraints.CA.

Jamf Nation Community

Workstation Certificate could not be verified.