We have setup the Jamf AD CS Connector to allow for machine-specific certificates to be deployed to our Macs via a Configuration Profile. This works fine, except for the machine certificate is not trusted. A user would have to go into the Keychain and manually set Always Trust. Is there any way to have the certificate be trusted, or trust it after it has been installed? Each certificate from the PKI will be a unique name (same as the machine name).
Question
How to set PKI Certificates from AD CS Connector as Trusted
+3
+25@gregbr Does the certificate you are deploying have the full trust chain embedded? We're not using the AD CS connector, but with the Venafi integration issuing a certificate via configuration profile includes user certificate as well as the intermediate and root certificates, and we don't have to modify the trust settings in the keychain.
+14You also need to deploy the AD root and ICA certificates. You should be able to include them in the same Configuration Profile
If you are using this for 802.1x then there are some settings under network for Trust where you can probably get away with not having the root and ICA certs but I threw them in anyway
So let's take a quick look at how to install the ADCS Connector, and some ... Settings > Global Management > PKI > Certificate Authorities.
+3I have included the internal root CA certificate and the issuing CA cert. Unfortunately, this did not make a difference. The machine PKI cert is valid, but it is not set to Always Trust.
+25I have included the internal root CA certificate and the issuing CA cert. Unfortunately, this did not make a difference. The machine PKI cert is valid, but it is not set to Always Trust.
@gregbr If the Root CA for the machine PKI cert trust chain is set to Always Trust then the PKI cert should be trusted
+3@gregbr If the Root CA for the machine PKI cert trust chain is set to Always Trust then the PKI cert should be trusted
The Root CA is set to Always Trust. The PKI cert is not trusted, however, when deployed.
+25The Root CA is set to Always Trust. The PKI cert is not trusted, however, when deployed.
@gregbr Are you saying the PKI cert is showing in Keychain Access as "When using this certificate: Never Trust"? Or is it showing as "When using this certificate: Use System Defaults"? The latter is normal, and conveys trust in the certificate if the Root CA is set to Always Trust.
+3@gregbr Are you saying the PKI cert is showing in Keychain Access as "When using this certificate: Never Trust"? Or is it showing as "When using this certificate: Use System Defaults"? The latter is normal, and conveys trust in the certificate if the Root CA is set to Always Trust.
It is set to Use System Defaults. Along the top, in red, it shows certificate is not trusted. The Issuing and Internal Root CA certificates show as Always Trust and appear OK.
+25It is set to Use System Defaults. Along the top, in red, it shows certificate is not trusted. The Issuing and Internal Root CA certificates show as Always Trust and appear OK.
@gregbr What is the signature algorithm for that certificate?
+3@gregbr What is the signature algorithm for that certificate?
SHA-256 for the new certificate we are attempting to deploy. We have some older certs in our environment that were on SHA-1, so we have both SHA-1 and SHA-256 versions of the Issuing CA and Internal Root CA certificates deployed.
+25SHA-256 for the new certificate we are attempting to deploy. We have some older certs in our environment that were on SHA-1, so we have both SHA-1 and SHA-256 versions of the Issuing CA and Internal Root CA certificates deployed.
SHA-256 should be fine, and unfortunately with that I'm out of ideas for simple fixes since your issuing and Root CAs are showing as Always Trusted. I asked about the signature algorithm because of a past post regarding with a cert not being trusted due to one of the newer elliptical curve signatures which caused a problem.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.