provisioning certificates
TRANSCRIPT
Provisioning CertificatesOr: Why I’ll always have a special place in my heart for Windows CE
MacBrained @ EvernoteNick Kalister
[email protected]://github.com/elvisizer/
Provisioning what now?
• An identity certificate issued by a domain certificate authority to either a user or computer that can be used for authentication to domain resources
• In this specific case study, the domain is Microsoft Active Directory, the client Macs are not bound to the domain and run OS’s ranging from 10.6-10.10
How are certificates normally provisioned?
How are certificates normally provisioned?
•Starting with 10.7, you had SCEP profiles
How are certificates normally provisioned?
• 10.7 (and ONLY 10.7) also supported the ADCertificatePayloadPlugin
How are certificates normally provisioned?
• 10.8 added RPC profiles
Standard Provisioning Options Summary
SCEP RPC ADPAYLOADPLUGIN
OPERATING SYSTEMS
SUPPORTED10.7-10.10 10.8-10.10 10.7 only
REQUIRES CLIENT BOUND TO AD? No Yes Yes
None of those options worked for us!
• Our AD server config was not compatible with the ADpayloadPlugin
• Our Macs were not bound to AD
• SCEP had a troubled history
• Needed 10.6 support, if possible
So, what to do???
Searching for a Solution
Searching for a Solution
Searching for a Solution
Details came from MSDNCertificate Enrollment in Windows CE .NET
Default POST format
Default POST Response
Where ### is the certificate request ID and XXXX is the certificate signing request
Default GET Format
Proving the Concept
1. Create a CSR using OpenSSL
2. Submit the CSR to the web enrollment server using curl, capturing the result.
Proving the Concept3. Get the Request ID from the captured result
4. Use the Req ID to download the certificate
5. Using OpenSSL again, combine the certificate and private key into an identity file
What else is needed to make this a usable provisioning system?
• User interface
• Certificate expiration reporting
• Old cert cleanup
• Configuration Profiles support
User Interface
Greeting
User Interface
Prompt for user name
User Interface
Prompt for password
User Interface
Feedback and final results
Leveraging Configuration Profiles
• First, create a profile template using OS X Server’s Profile Manager
• Add the certificate payload first
Leveraging Configuration Profiles
• Then, add a network payload that uses the certificate payload for authentication
Leveraging Configuration Profiles
• Save and download the profile from Profile Manager
• Then, open the profile in a text editor and delete the certificate data
• Your profile template is now ready for use
Leveraging Configuration Profiles
• Use plistbuddy to insert the certificate into the template
• And use profiles to install the mobileconfig file
Cleaning Up Old Certs
Expiration Reporting
Expiration Reporting
Thank You!
References• OpenSSL help articles
• cURL project homepage
• Apple RPC Profile KB Article
• Apple ADCertificatePayloadPlugin KB Article
• Certificate Enrollment in Windows CE .NET
• Microsoft CA Web Enrollment Service Technet Docs
• Cocoa Dialog