OSX & AD Certificate Requests, some tips

Standard
Icon_CertificateStandard

If your environment is based around Active Directory, chances are you may leverage Active Directory Certificate Services (ADCS) as your internal public key infrastructure (PKI). The certificates from which may be used to authenticate clients to various services within your organisation.

As MacAdmins, we may need to configure our Macs to request certificates from our ADCS, below are some hopefully helpful tips that might make that easier.

Have You Tried A Profile?

Screenshot 2015-09-05 22.22.21

Luckily, Apple have made the initial attempt easier by adding an AD Certificate payload to Profile Manager. This means that most MDM’s should have the payload as an option, if not spin up a copy of Profile Manager.

Incidentally, I advocate the use of profiles for any Certificate deployment.

It’s simple & if you’re deploying an internal Root Certificate & via an MDM where the profiles are trusted then the certificate should be always trusted, (as shown below).

Screenshot 2015-09-06 09.45.39

That’s Not My Name

The payload should ask you for details similar to that shown below, (which is from a JSS). Each option is important, but make note of the Certificate Template field.

Screenshot 2015-08-24 10.46.53
Screenshot 2015-08-11 14.55.13

This needs to be the “Template name” of the Certificate Template to use when requesting a certificate & not the “Template display name”. The below should help to illustrate this.

Your ADCS administrator or someone with access to the server should be able to verify the details of the certificate template to use from the CertSrv mmc.

Before You Go

Like all things AD, certificate templates have Access Control  Lists (ACLs) which if not properly set can trip you up.

Screenshot 2015-08-25 21.10.54

So it’s always worth double checking the ACLs on any certificate template you’re struggling with.

No Worky

Even after all the above the request might fail. To find out why, on a Mac that has tried & failed to request a certificate search the system.log for “GetCertificateFromCAServer”

Screen Shot 2015-09-05 at 9.48.13 PM

This messages are pretty handy, they give you a “request ID” which you can then check for on the CA for more information.

As these are “Failed Requests” open the CertSrv mmc & search for the “request ID” given by the Mac.

Screenshot 2015-09-05 21.53.14

Now armed with the “Request Status Code” & the internet, you should be able to stumble through a few TechNet articles &/or blog posts that will lead you to a resolution.

Anymore?

If you have anymore tips on this, please comment below!