Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Importing a Certification Authority Intermediate Certificate from Apple to the System Keychain

Overview

To install PKGs signed with an installer certificate from Apple's Developer Certificate Utility, the System keychain in Keychain Access must contain a Certification Authority intermediate certificate from Apple.

This article explains how to obtain a Certification Authority intermediate certificate from Apple and import it to the System keychain in Keychain Access on computers.

Versions Affected

Version 8.6 and later

Requirements

To import a Certification Authority intermediate certificate from Apple to the System keychain, you need:
- A copy of Apple’s Developer ID or Worldwide Developer Relations Certification Authority intermediate certificate.

The Developer ID Certification Authority intermediate certificate is available at:
https://developer.apple.com/certificationauthority/DeveloperIDCA.cer

The Worldwide Developer Relations Certification Authority intermediate certificate is available at:
https://developer.apple.com/certificationauthority/AppleWWDRCA.cer

Procedure

Importing a Certification Authority intermediate certificate from Apple to the System keychain on computers involves the following steps:

  1. Move the certificate to the following location:
    /Library/Application Support/JAMF/

  2. Use Composer or a third-party package building tool to create a package of the certificate (DeveloperIDCA.cer or AppleWWDRCA.cer).

  3. Open the importCACert.sh script and add "/Library/Application Support/JAMF/DeveloperIDCA.cer" or "/Library/Application Support/JAMF/AppleWWDRCA.cer" as the value for the caCertLocation variable.
  4. Use the Casper Suite or another deployment tool such as Apple Remote Desktop (ARD) to deploy the certificate package and run the importCACert.sh script.

Version 9.0 or Later

To deploy the certificate package and run the importCACert.sh script using a policy:

  1. Add the certificate package and the importCACert.sh script to Casper Admin, and assign a priority of "After" to the script. For complete instructions, see "Managing Packages" and "Managing Scripts" in the Casper Suite Administrator's Guide.
  2. Log in to the JSS with a web browser.
  3. Click Computers at the top of the page.
  4. Click Policies. On a smartphone, this option is in the pop-up menu.
  5. Click New.
  6. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.
  7. Select the Packages payload and click Configure.
  8. Click Add for the certificate package.
  9. Choose "Install" from the Action pop-up menu.
  10. Configure the settings for the package.
  11. Select the Scripts payload and click Configure.
  12. Click Add for the importCACert.sh script.
  13. Choose "After" from the Priority pop-up menu.
  14. Click the Scope tab and configure the scope of the policy.
  15. Click Save.

Version 8.x

To deploy the certificate package and run the importCACert.sh script using a policy:

  1. Add the certificate package and the importCACert.sh script to Casper Admin, and assign a priority of "After" to the script. For complete instructions, see "Managing Packages" and "Managing Scripts" in the Casper Suite Administrator's Guide.
  2. Log in to the JSS with a web browser.
  3. Click the Management tab.
  4. Click the Policies link.
  5. Click the Create Policy button.
  6. Select the Create policy manually option and click Continue.
  7. Specify a display name, trigger, and execution frequency.
  8. Click the Packages tab, and then click the Add Package link.
  9. Choose "Install" from the Action pop-up menu across from the certificate package, and then click Add Packages.
  10. Click the Scripts tab, and then click the Add Script link.
  11. Select the Run After option above the importCACert.sh script, and then click Add Scripts.
  12. Click the Scope tab and assign computers or user groups to the scope.
  13. Click Save.
Like Comment
Order by:
SOLVED Posted: by jeremysmythe

If it is necessary for the Developer ID Certification Authority intermediate certificate to be on the machine. How does one get it installed on a machine before doing User Initiated Enrollment? Example is BYOD when I have no way to install the cert before enrollment.

Like
SOLVED Posted: by philipwoods

Agree with @jeremysmythe. All a bit chicken and egg this one.

I've asked our Apple developer account 'agent' to generate the installer certificate so we can sign our QuickAdd package. If that still doesn't install smoothly without this intermediate certificate being installed I really don't understand how user initiated enrolment is supposed to work without generating unwanted support tickets for people who don't know the 'right click' for an untrusted app source.

Will post results here for signed QuickAdd without the intermediate CA being installed.

Like