First published on CloudBlogs on Apr, 05 2013
Most customers who want to manage Mac computers using System Center 2012 Configuration Manager SP1 will use the enrollment tool, CMEnroll. This tool allows users with an Active Directory account to install the Configuration Manager client and automatically request and install the required client PKI certificate.
This deployment method scales well and uses your existing infrastructure to secure and automate the certificate deployment. However, it does require the user to have an account in Active Directory, and it requires Active Directory Certificate Services with a customized certificate template (so you must be running an enterprise version of the operating system and an enterprise CA).
If you don’t meet these requirements, or you don’t want an automated certificate deployment mechanism, you can request and install the certificate independently from Configuration Manager, and then install the Configuration Manager client.
Much like native mode in Configuration Manager 2007 and the client-server PKI connections in System Center 2012 Configuration Manager, you can use any PKI deployment to deploy the certificate for Mac computers if it adheres to our documented certificate requirements. For Mac computers, the client certificate requirements are as follows:
-
The certificate purpose (Enhanced Key Usage): Client authentication
-
Subject: Unique value for each computer (for example, the computer FQDN)
-
Supported hash algorithms: SHA-1 and SHA-2
-
Maximum supported key size: 2048 bits
There is no single method of deployment for this certificate, and we would always recommend that you consult your own PKI team or get in a PKI consultant to devise the best method to deploy this certificate to Mac computers in a production environment. However, you can use the following steps in this blog if you need to deploy a few certificates for testing and have Active Directory Certificate Services running on a standalone CA or an enterprise CA that lets you duplicate and modify the certificate templates.
Both methods described in this post involve requesting the certificate from a Windows computer on behalf of the Mac computer, exporting the certificate to a file, and then importing it on the Mac computer. This method is not usually recommended in a production environment because it does not scale and has the security risk of exporting the private key.
An alternative that does not require you to export the private key, is to use the Certificate Assistant tool on the Mac computer, from the Keychain Access menu. This lets you save a certificate request to disk and from the contents of this file, you can request the certificate from the issuing CA.
If you are not using the Certificate Assistant tool but want to use a Windows-based computer to request the certificate for the Mac computer, follow the steps in this post that match your issuing CA configuration. Then export the certificate file so that it’s ready to import on the Mac computer. These steps match the UI for any version of Windows Server 2008 and can be easily adapted if your CA is running on Windows Server 2012. Then, import the exported certificate to the Mac computer and configure the Keychain Access to trust the new certificate and (if required) the root certificate.
To Request and Install the Mac Client Certificate by Using a Standalone CA
-
On a Windows computer that can access the issuing CA (it can even be the CA computer, itself): Create a folder to hold all the required certificate files. For example, C:certificates.
-
In the folder that you have just created, create a text file as follows and specify the unique computer name of the Mac computer (for example, its FQDN) for the common name in the Subject:
[NewRequest]
Subject="CN=mac1.contoso.com"
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
RequestType = PKCS10
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
-
Save the file with any name but it must have an .inf extension. For example, Mac.inf.
-
In the folder, open a command prompt. From here, run Certreq.exe to request and submit the certificate request, by typing the two commands, consecutively:
certreq –new mac.inf mac.req
certreq –submit mac.req mac.cer
-
You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click
OK
. When the certificate is issued, you see RequestId: <number> displayed, where <number> is the next sequential certificate request from the issuing CA. Make a note of this number.
-
In the Certification Authority console, click the
Pending Requests
node, right-click the pending certificate request, select
All Tasks
, and then select
Issue
.
-
Back in the command window, retrieve the certificate using the number you saw earlier by using the Certreq –retrieve command. For example, using our mac.inf file: Certreq –retrieve 2 mac.cer
-
You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click
OK
. Click
OK
to overwrite the existing file.
-
Accept and install the certificate by using the Certreq –accept command. In our example, this would be: certreq –accept mac.cer
-
Use the Certificates console to confirm that the certificate is installed: Click
Start
, click
Run
, and type
mmc.exe.
In the empty console, click
File
, and then click
Add/Remove Snap-in.
-
In the
Add or Remove Snap-ins
dialog box, select
Certificates
from the list of
Available snap-ins
, and then click
Add
.
-
In the
Certificate snap-in
dialog box, select
Computer account
, and then click
Next
.
-
In the
Select Computer
dialog box, ensure
Local computer: (the computer this console is running on)
is selected, and then click
Finish
.
-
In the
Add or Remove Snap-ins
dialog box, click
OK
.
-
In the console, expand
Certificates (Local Computer)
, expand
Personal
, and then click
Certificates
. To identify the certificate that you just installed, you can use the
Issued To
column, which displays the Mac computer name that you specified, and the
Intended Purposes
column, which displays
Client Authentication
.
-
Do not close the Certificates console.
To Request and Install the Mac Client Certificate by Using an Enterprise CA
-
In the Certification Authority console, right-click
Certificate Templates
and click
Manage
to load the
Certificate Templates
console.
-
In the results pane, right-click the entry that displays
Workstation Authentication
in the column
Template Display Name
, and then click
Duplicate Template
.
-
In the
Duplicate Template
dialog box, ensure that
Windows 2003 Server, Enterprise Edition
is selected, and then click
OK
.
-
In the
Properties of New Template
dialog box, on the
General
tab, enter a template name to generate the Mac client certificates, such as
Mac Client Certificate
.
-
Click the
Request Handling
tab, and select
Allow private key to be exported
.
-
Click the
Subject Name
tab, and click
Supply in the request
. Click
OK
in the warning dialog box to acknowledge the security risk.
-
Click the
Security
tab, and remove the
Enroll
permission from the security groups
Domain Admins
and
Enterprise Admins
. This helps to reduce the security risk.
-
Click
Add
. In the
Select Users, Computers, Service Accounts, or Groups
dialog box, first click
Object Types
and select
Computers
, and then click
OK
. Then specify the computer name of a Windows computer that will request the certificate on behalf of Mac computers (it can even be the CA computer, itself), click
Check Name
to verify, and then click
OK
.
-
Select the
Enroll
permission for this computer, and do not clear the
Read
permission.
-
Click
OK
, and close the
Certificate Templates Console
.
-
In the Certification Authority console, right-click
Certificate Templates
, click
New
, and then click
Certificate Template to Issue
.
-
In the
Enable Certificate Templates
dialog box, select the new template that you have just created, and then click
OK
.
-
From the computer that you specified to have Read and Enroll permissions for the certificate template, click
Start
, click
Run
, and type
mmc.exe.
In the empty console, click
File
, and then click
Add/Remove Snap-in.
-
In the
Add or Remove Snap-ins
dialog box, select
Certificates
from the list of
Available snap-ins
, and then click
Add
.
-
In the
Certificate snap-in
dialog box, select
Computer account
, and then click
Next
.
-
In the
Select Computer
dialog box, ensure
Local computer: (the computer this console is running on)
is selected, and then click
Finish
.
-
In the
Add or Remove Snap-ins
dialog box, click
OK
.
-
In the console, expand
Certificates (Local Computer)
, and then click
Personal
.
-
Right-click
Certificates
, click
All Tasks
, and then click
Request New Certificate
.
-
On the
Before You Begin
page, click
Next
.
-
If you see the
Select Certificate Enrollment Policy
page, click
Next
.
-
On the
Request Certificates
page, identify the certificate template that you just created (for example,
Mac Client Certificate)
from the list of displayed certificates, and then click
More information is required to enroll for this certificate. Click here to configure settings
.
-
In the
Certificate Properties
dialog box, in the
Subject
tab, for the
Subject name
section, click the
Type
drop-down list, and then select
Common name
.
-
In the
Value
box, specify the unique computer name of the Mac computer that will use this certificate. Using the FQDN of the computer is a best practice. For example, mac1.contoso.com.
-
Click
Add
, so that the dialog box looks similar to the following, and then click
OK
to close the
Certificate Properties
dialog box.
-
On the
Request Certificates
page, select the certificate template that you just created (for example,
Mac Client Certificate)
from the list of displayed certificates, and then click
Enroll
.
-
On the
Certificates Installation Results
page, wait until the certificate is installed, and then click
Finish
.
-
Do not close the Certificates console.
To Export the Mac Client Certificate
-
In the Certificates
console, right-click the certificate that you have just installed, select
All Tasks
, and then click
Export
.
-
In the Certificates Export Wizard, click
Next
.
-
On the
Export Private Key
page, select
Yes, export the private key
, and then click
Next
.
-
On the
Export File Format
page, ensure that the option
Personal Information Exchange - PKCS #12 (.PFX)
is selected, and then select
Include all certificates in the certification path if possible
.
-
Click
Next
and on the
Password
page, specify a strong password to protect the exported certificate with its private key, and then click
Next
.
-
On the
File to Export
page, specify a file name to hold the certificate, and then click
Next
.
-
To close the wizard, click
Finish
in the
Certificate Export Wizard
page, and click
OK
in the confirmation dialog box.
-
Close the Certificates console.
-
Store the file securely and use it to import the certificate on the Mac computer.
Tip: If you use an issuing CA from a different hierarchy to the one that issues PKI certificates for the Configuration Manager site system roles (such as the management point), you must import the root CA certificate as a Configuration Manager site property. For more information, see the
Planning for the PKI Trusted Root Certificates and the Certificate Issuers List
section in the
Planning for Security in Configuration Manager
topic from the Configuration Manager documentation library.
Additional information from the Configuration Manager documentation library:
--
Carol Bailey
This posting is provided "AS IS" with no warranties and confers no rights.