Blog Post

Security, Compliance, and Identity Blog
8 MIN READ

How to Create and Deploy a Client Certificate for Mac Computers Independently from Configuration Manager

yvetteomeally's avatar
yvetteomeally
Icon for Microsoft rankMicrosoft
Sep 08, 2018
First published on CloudBlogs on Apr, 05 2013

Most customers who want to manage Mac computers using System Center 2012 Configuration Manager SP1 will use the enrollment tool, CMEnroll. This tool allows users with an Active Directory account to install the Configuration Manager client and automatically request and install the required client PKI certificate.

This deployment method scales well and uses your existing infrastructure to secure and automate the certificate deployment. However, it does require the user to have an account in Active Directory, and it requires Active Directory Certificate Services with a customized certificate template (so you must be running an enterprise version of the operating system and an enterprise CA).

If you don’t meet these requirements, or you don’t want an automated certificate deployment mechanism, you can request and install the certificate independently from Configuration Manager, and then install the Configuration Manager client.

Much like native mode in Configuration Manager 2007 and the client-server PKI connections in System Center 2012 Configuration Manager, you can use any PKI deployment to deploy the certificate for Mac computers if it adheres to our documented certificate requirements. For Mac computers, the client certificate requirements are as follows:

  • The certificate purpose (Enhanced Key Usage): Client authentication
  • Subject: Unique value for each computer (for example, the computer FQDN)
  • Supported hash algorithms: SHA-1 and SHA-2
  • Maximum supported key size: 2048 bits

There is no single method of deployment for this certificate, and we would always recommend that you consult your own PKI team or get in a PKI consultant to devise the best method to deploy this certificate to Mac computers in a production environment. However, you can use the following steps in this blog if you need to deploy a few certificates for testing and have Active Directory Certificate Services running on a standalone CA or an enterprise CA that lets you duplicate and modify the certificate templates.

Both methods described in this post involve requesting the certificate from a Windows computer on behalf of the Mac computer, exporting the certificate to a file, and then importing it on the Mac computer. This method is not usually recommended in a production environment because it does not scale and has the security risk of exporting the private key.

An alternative that does not require you to export the private key, is to use the Certificate Assistant tool on the Mac computer, from the Keychain Access menu. This lets you save a certificate request to disk and from the contents of this file, you can request the certificate from the issuing CA.

If you are not using the Certificate Assistant tool but want to use a Windows-based computer to request the certificate for the Mac computer, follow the steps in this post that match your issuing CA configuration. Then export the certificate file so that it’s ready to import on the Mac computer. These steps match the UI for any version of Windows Server 2008 and can be easily adapted if your CA is running on Windows Server 2012. Then, import the exported certificate to the Mac computer and configure the Keychain Access to trust the new certificate and (if required) the root certificate.

To Request and Install the Mac Client Certificate by Using a Standalone CA

  1. On a Windows computer that can access the issuing CA (it can even be the CA computer, itself): Create a folder to hold all the required certificate files. For example, C:certificates.
  2. In the folder that you have just created, create a text file as follows and specify the unique computer name of the Mac computer (for example, its FQDN) for the common name in the Subject:

    [NewRequest]

    Subject="CN=mac1.contoso.com"

    KeyLength = 2048

    Exportable = TRUE

    MachineKeySet = TRUE

    RequestType = PKCS10

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

  3. Save the file with any name but it must have an .inf extension. For example, Mac.inf.
  4. In the folder, open a command prompt. From here, run Certreq.exe to request and submit the certificate request, by typing the two commands, consecutively:

    certreq –new mac.inf mac.req

    certreq –submit mac.req mac.cer

  5. You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click OK . When the certificate is issued, you see RequestId: <number> displayed, where <number> is the next sequential certificate request from the issuing CA. Make a note of this number.
  6. In the Certification Authority console, click the Pending Requests node, right-click the pending certificate request, select All Tasks , and then select Issue .
  7. Back in the command window, retrieve the certificate using the number you saw earlier by using the Certreq –retrieve command. For example, using our mac.inf file: Certreq –retrieve 2 mac.cer
  8. You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click OK . Click OK to overwrite the existing file.
  9. Accept and install the certificate by using the Certreq –accept command. In our example, this would be: certreq –accept mac.cer
  10. Use the Certificates console to confirm that the certificate is installed: Click Start , click Run , and type mmc.exe. In the empty console, click File , and then click Add/Remove Snap-in.
  11. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins , and then click Add .
  12. In the Certificate snap-in dialog box, select Computer account , and then click Next .
  13. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish .
  14. In the Add or Remove Snap-ins dialog box, click OK .
  15. In the console, expand Certificates (Local Computer) , expand Personal , and then click Certificates . To identify the certificate that you just installed, you can use the Issued To column, which displays the Mac computer name that you specified, and the Intended Purposes column, which displays Client Authentication .
  16. Do not close the Certificates console.

To Request and Install the Mac Client Certificate by Using an Enterprise CA

  1. In the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name , and then click Duplicate Template .
  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK .
  4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Mac client certificates, such as Mac Client Certificate .
  5. Click the Request Handling tab, and select Allow private key to be exported .
  6. Click the Subject Name tab, and click Supply in the request . Click OK in the warning dialog box to acknowledge the security risk.
  7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins . This helps to reduce the security risk.
  8. Click Add . In the Select Users, Computers, Service Accounts, or Groups dialog box, first click Object Types and select Computers , and then click OK . Then specify the computer name of a Windows computer that will request the certificate on behalf of Mac computers (it can even be the CA computer, itself), click Check Name to verify, and then click OK .
  9. Select the Enroll permission for this computer, and do not clear the Read permission.
  10. Click OK , and close the Certificate Templates Console .
  11. In the Certification Authority console, right-click Certificate Templates , click New , and then click Certificate Template to Issue .
  12. In the Enable Certificate Templates dialog box, select the new template that you have just created, and then click OK .
  13. From the computer that you specified to have Read and Enroll permissions for the certificate template, click Start , click Run , and type mmc.exe. In the empty console, click File , and then click Add/Remove Snap-in.
  14. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins , and then click Add .
  15. In the Certificate snap-in dialog box, select Computer account , and then click Next .
  16. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish .
  17. In the Add or Remove Snap-ins dialog box, click OK .
  18. In the console, expand Certificates (Local Computer) , and then click Personal .
  19. Right-click Certificates , click All Tasks , and then click Request New Certificate .
  20. On the Before You Begin page, click Next .
  21. If you see the Select Certificate Enrollment Policy page, click Next .
  22. On the Request Certificates page, identify the certificate template that you just created (for example, Mac Client Certificate) from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings .
  23. In the Certificate Properties dialog box, in the Subject tab, for the Subject name section, click the Type drop-down list, and then select Common name .
  24. In the Value box, specify the unique computer name of the Mac computer that will use this certificate. Using the FQDN of the computer is a best practice. For example, mac1.contoso.com.
  25. Click Add , so that the dialog box looks similar to the following, and then click OK to close the Certificate Properties dialog box.
  26. On the Request Certificates page, select the certificate template that you just created (for example, Mac Client Certificate) from the list of displayed certificates, and then click Enroll .
  27. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish .
  28. Do not close the Certificates console.

To Export the Mac Client Certificate

  1. In the Certificates console, right-click the certificate that you have just installed, select All Tasks , and then click Export .
  2. In the Certificates Export Wizard, click Next .
  3. On the Export Private Key page, select Yes, export the private key , and then click Next .
  4. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is selected, and then select Include all certificates in the certification path if possible .
  5. Click Next and on the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next .
  6. On the File to Export page, specify a file name to hold the certificate, and then click Next .
  7. To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box.
  8. Close the Certificates console.
  9. Store the file securely and use it to import the certificate on the Mac computer.

Tip: If you use an issuing CA from a different hierarchy to the one that issues PKI certificates for the Configuration Manager site system roles (such as the management point), you must import the root CA certificate as a Configuration Manager site property. For more information, see the Planning for the PKI Trusted Root Certificates and the Certificate Issuers List section in the Planning for Security in Configuration Manager topic from the Configuration Manager documentation library.

Additional information from the Configuration Manager documentation library:

-- Carol Bailey

This posting is provided "AS IS" with no warranties and confers no rights.

Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment