Useful links for setting up certificate profiles

AFP Article:

802.1x EAP-TLS Machine Authentication in Mt. Lion with AD Certificates

(Mike Boylan)

Debug logging

for profiles can be enabled with the following commands:

sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1

After logging out and logging back in, very verbose logging will begin being dumped into /Library/Logs/ManagedClient/ManagedClient.log. To disable debug logging, delete the /Library/Preferences/com.apple.MCXDebug.plist file and log out and log back in once more.

802.1x EAP-TLS Machine Authentication in Mt. Lion with AD Certificates

Read .mobileconfig profile in plaintext:

security cms -D -i /Path/To/profile.mobileconfig | xmllint --format - > /Path/To/profile.txt.mobileconfig

https://support.apple.com/en-us/HT204602


https://macmule.com/2015/09/06/osx-ad-certificate-requests-some-tips


https://jamfnation.jamfsoftware.com/discussion.html?id=5018

Credit: Multiple authors.

See what’s installed: /usr/bin/profiles -I -F /path/to/mobileconfig
See the ktickets: klist -l
Make kticket: sudo kinit -k <computername>

Template requirements

  • “Enroll subject without requiring any user input” is enabled.
  • Subject name format: Common name
  • Subject Alternative Name: User principal name (UPN)
  • Domain computers have Read and Enroll permissions enabled.

Profile requirements

  • Make sure the “Certificate Template Name” in your AD Certificate payload matches the “Template name” (not the “Template display name”) of the target certificate template.
  • Make sure your profile includes the intermediate and root CA’s for the certificate you are requesting, and also the entire chain of trust (root + intermediate CA certs if they are different from the client certificate CA’s, and the server certificate) for the CA server.

Client requirements

  • Machine must be bound to AD.
  • Ensure the machine has a Kerberos ticket (<machineName>$.<DOMAIN>).”

Also, check that the Domain Computers group is in the ADCS template ACL

Spaces in template name will break the request on some versions of OS X. <- Details needed.


PSU Mac Admins – Slides

Slides – MacAdmins Conference at Penn State

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s