If your environment is based around Active Directory, chances are you may leverage Active Directory Certificate Services (ADCS) as your internal public key infrastructure (PKI). The certificates from which may be used to authenticate clients to various services within your organisation.
As MacAdmins, we may need to configure our Macs to request certificates from our ADCS, below are some hopefully helpful tips that might make that easier.
Have You Tried A Profile?
Luckily, Apple have made the initial attempt easier by adding an AD Certificate payload to Profile Manager. This means that most MDM’s should have the payload as an option, if not spin up a copy of Profile Manager.
Incidentally, I advocate the use of profiles for any Certificate deployment.
It’s simple & if you’re deploying an internal Root Certificate & via an MDM where the profiles are trusted then the certificate should be always trusted, (as shown below).
That’s Not My Name
The payload should ask you for details similar to that shown below, (which is from a JSS). Each option is important, but make note of the Certificate Template field.
This needs to be the “Template name” of the Certificate Template to use when requesting a certificate & not the “Template display name”. The below should help to illustrate this.
Your ADCS administrator or someone with access to the server should be able to verify the details of the certificate template to use from the CertSrv mmc.
Before You Go
Like all things AD, certificate templates have Access Control Lists (ACLs) which if not properly set can trip you up.
So it’s always worth double checking the ACLs on any certificate template you’re struggling with.
No Worky
Even after all the above the request might fail. To find out why, on a Mac that has tried & failed to request a certificate search the system.log for “GetCertificateFromCAServer”
This messages are pretty handy, they give you a “request ID” which you can then check for on the CA for more information.
As these are “Failed Requests” open the CertSrv mmc & search for the “request ID” given by the Mac.
Now armed with the “Request Status Code” & the internet, you should be able to stumble through a few TechNet articles &/or blog posts that will lead you to a resolution.
Anymore?
If you have anymore tips on this, please comment below!
There was a nice presentation @ a Macbrained event in March 2015 on a related topic: Identify Certicificate Requests for Un-AD Bound Macs by Nick Kalister. video here (may need to sing in to Macbrained to view…) http://macbrained.org/recap-march-2015/ & the links to resources I believe are mentioned in the presentation.
Thanks for a very useful article. However, I get the following message in the AD-CS logs:
“The DNS name is unavailable and cannot be added to the Subject Alternate name”
I’ve tried adding $COMPUTERNAME to the username field within the Network payload (and the AD Certificate payload) of the Configuration Profile, but still get the same error message. Any ideas?
Can anyone provide an answer to this issue?
We have the same problem on some of our Macs while other Macs are able to get a certificate without issue.
THanks.
In answer to my question…in case this helps anyone.
We found the issue was the computer account in AD was missing it’s DNS entry. This happened on computer accounts where we had pre-created the account in AD.
The solution was to either use ADSI edit and manually enter the DNS name or rejoin the Mac computer to the domain without having the computer account pre-created in AD
Hi Dean,
There can be a few variables to this.
I’d suggest joining the macadmins.org slack & asking in the #activedirectory channel.
How the hell can you autorenew an ADCertificate ?
Without asking the user to click the update button ? under Profiles
We redeploy the profile.
Well we had to as we had an annually expiring CA cert & so had to redeploy both annually.