Help

Scripting an Identity Preference to match a VPN URL to a User Certificate

djrory
Contributor

Posted on ‎03-14-2019 05:21 PM

A very long tedious story short, I am trying to use an Identity Preference to 'link' a URL to a Certificate we have issued.

Users have a certificate named (First name Last name), and we have a URL *.vpnaddress.com that requires this certificate.

Chrome and Safari often like to not prompt the user for a certificate which in turn throws an error from the VPN website.

To avoid this and many other related issues I'm trying to use the Identity Preference to skip this 'prompting for certificate' step and have the machine recognise the URL and provide the certificate.

I have proven that this method works locally via this command,

#!/bin/bash

security set-identity-preference -c $(id -F) -s "*.vpnaddress.com"

However the catch here is $(id -F) does not always match the users certificate, as the certificate server uses the users cn value from the object in AD and the account on the device uses the Display Name.

To combat this I've tried retrieving the certificate and snipping the excess off like this,

#!/bin/bash

usersfname=$(sudo security find-certificate -a -c $(id -F) -Z login.keychain | grep ^'    "labl"<blob>="' |cut -c19- | sed 's/.$//')

Locally this would return the name of the certificate just fine, however when deployed via a script it fails and does not return the name.

I feel there must be a better way to do this, I tried querying AD via LDAP but this was difficult to script universally as our instance requires binding to query etc.

Any help is appreciated, let me know if you need any more details.

Here is the latest iteration of the script I've tried. 

#!/bin/bash

# Created by Rory Powell 14/03/19
# Create an identity preference for VPN

currentuser=`stat -f "%Su" /dev/console`
echo current user: $currentuser

fullname=`su "$currentuser" -c "id -F"`
echo fullname: $fullname

cert=`security find-certificate -a -c $fullname -Z login.keychain`
echo cert: $cert

certname=`$cert | grep ^'    "labl"<blob>="' |cut -c19- | sed 's/.$//'`
echo certname: $certname

security set-identity-preference -c "$certname" -s "*.vpnaddress.com"


#various other attempts

#echo security find-certificate -a -c $fullname -Z login.keychain | grep ^'    "labl"<blob>="' |cut -c19- | sed 's/.$//'
#usersfname=$(su "$currentuser" -c "id -F")
#usersfname=$(sudo security find-certificate -a -c $(id -F) -Z login.keychain | grep ^'    "labl"<blob>="' |cut -c19- | sed 's/.$//')
#fullname=`id -F`
#echo security find-certificate -a -c $(id -F) -Z login.keychain | grep ^'    "labl"<blob>="' |cut -c19- | sed 's/.$//'
# |cut -c19- | sed 's/.$//'
#usersfname=$(id -F)
#echo id -F
#echo $usersfname
#echo The users full name is: $usersfname
0 Kudos
1 REPLY 1

djrory
Contributor

Posted on ‎03-14-2019 09:01 PM

Managed to find a 1 line solution to this issue, then just placed this in the Files and Processes window.

Although it only works locally

Here it is for future reference. 

sudo -u $(stat -f "%Su" /dev/console) security set-identity-preference -c "$(security find-certificate -a -c "$(sudo -u $(stat -f "%Su" /dev/console) id -F)" -Z login.keychain | grep ^'    "labl"<blob>="' |cut -c19- | sed 's/.$//')" -s "*.vpnaddress.com"