We have a method of deploying our Active Directory root certificate in Mac OS X computers (10.6+) we’d like to share. It’s a one line command (add-trusted-cert) who’s options can be found in Apple’s Documentation. Here’s an example of using the command. We upload the certificate to BigFix and then use the following action:
download http://server.domain.com:52311/Uploads/c24da1e43b24638f364cbeacd226800f0419062d/RootCAcer.tmp
continue if {(size of it = 845 AND sha1 of it = "c24da1e43b24638f364cbeacd226800f0419062d") of file "RootCAcer.tmp" of folder "__Download"}
extract RootCAcer.tmp
if {not active of action OR exists file whose (name of it ends with ".tmp") of folder "__Download" of client folder of current site}
delete "{pathname of file whose (name of it ends with ".tmp") of folder "__Download" of client folder of current site}"
wait /usr/bin/security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "{posix path of client folder of current site}/__Download/RootCA.cer"
endif
The prefetch command should generally be used instead of the download command.
Also, you can upload the certificate to the root server without compression so you can skip the extract step. I would recommend this for small files and files that are already compressed.
Thanks for the tips @jgstew . They’re greatly appreciated.
How do you upload files without compression? We’ve used the software installation wizard to upload the files but I don’t see an option to leave them uncompressed.
In the Software Distribution Wizard you should be able select, “Add Folder” and unselect “Compress Folders at depth” this should upload each file individually
I don’t recall offhand how to upload files without compression, but it is most definitely possible. I typically just put the file on a webserver that the root server can access and use that as the URL for the prefetch statement. This method has the advantage of the file being cached in the root server’s webcache which will roll over and delete old files automatically instead of being placed in the root server’s upload directory where it will never be deleted automatically and will need manual pruning to keep down in size over time. As long as the root sever’s webcache is large enough, it will not roll over quickly. This is also true if your top level relays have large caches, then even if the root server cache ends up deleting old files, the top level relays could still have a copy to serve up. This is part of why I like the idea of a single top level relay with a very large cache, particularly if you can’t put a lot of storage on the root server. Related:FillDB Buffer Size Issue - #4 by jgstew
Interesting. Definitely not the method I have used in the past.
@rames, thanks for the valuable action script… can we also have the relevance condition to check whether the required certificate is already available or not in user MAC OS.
We use another task to dump the certificate list to a file:
// List of trusted certificates
wait /bin/bash -c "security dump-trust-settings -d | grep Cert > __certlist.txt || true"
Then use this as relevance in the certificate installation task:
(if (exists it) then (not exists lines whose (it contains "Academic Root CA") of it) else false) of file "__certlist.txt" of client folder of site "CustomSite_<NameOfTheCustomSiteGoesHere>"
In case your interested here’s an updated version of the action script we use based on the suggestions above:
# Install certificate as a trusted root
security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” “{posix path of file “ACADCA_Academic_Root_CA.cer” of folder “__Download” of client folder of current site}”
@rames, Thanks for the update/
But can we have direct relevance condition to check whether the desire certificate is there on enduser MAC os or not… because… to copy all certificates information in a single file and read it… will create a another task for me… I will really appreciate your suggestion if you suggest a single liner relevance for MAC…
If I knew where to pull that information from (a .plist for example) then yes but the only way I have found so far is to run the “security dump-trust-settings” command. We use a similar approach for retrieving the Active Directory domain, Active Directory Admin Groups assigned to the computer, and the Wi-Fi Profiles installed.