Help

Keychain Access: Search Directory Services for Certificates

dstranathan
Valued Contributor II

Posted on ‎12-28-2016 11:04 AM

Can Macs get Root CA certificates installed from Active Directory?

I just noticed an option in the Keychain Access app “Search Directory Services for Certificates”. Never noticed this option before. Can someone expand on what this checkbox does?

In the past, I have deployed our certs via custom .pkgs & scripts through JAMF policies (and even ARD back in the day).

Like most environments, certificates are commonly required for our services such as Intranet site(s), 802.1x, Wi-Fi, etc.

I dug around in the man page for /usr/bin/security and I dont see any commands that are applicable.

59a9140d9fa04853aa2c2a462c5bf37d

0 Kudos
1 REPLY 1

mm2270
Legendary Contributor III

Posted on ‎12-28-2016 11:25 AM

I don't know too much about this feature, but my understanding is its used mostly for obtaining communication related certificates, like for secure email, from a directory service (AD, OD, etc)
I doubt you could use it to install a Root CA to a Mac. This page from Apple has no mention of it being used for that purpose, and in fact states that a CA signing certificate must already be installed first for the feature to work at all.

As for installing certs, I would also look at Configuration Profiles these days, if your JSS and Macs are configured to use them. I just started doing this and its really pretty easy and reliable. Much better than using workarounds like deploying the cert in a pkg and installing in a postinstall script, IMO anyway.

0 Kudos