• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2597
  • Last Modified:

Enroll Macs /w our Microsoft CA

We have a Microsoft CA and we need out Macs to Enroll or Auto-enroll and receive a computer certificate so that they can connect to a secure wireless with that cert.

How can we make this happen in OS X 10.4-10.7?
1 Solution
It's not an easy process, but have a look at this page:
ServDeskKnowsAuthor Commented:
sofsol: Thanks for the link.  It looks like a messier solution than I was hoping for, but unless anyone has a more straight forward option I'll give that a whirl.
ParanormasticCryptographic EngineerCommented:
That article has the general gist of what needs to be done.  From there you may need to interpret a little bit for your environment.

First of all note that those instructions describe a stand-alone CA instead of an Enterprise CA, where most of the attributes would already be enabled (except maybe the SAN, but that is common to enable when first installing the CA).  What this means is all the policy file stuff and manually setting the attributes doesn't need to be done if you pick a machine template that already has the client authentication attribute set.  Duplicate a workstation template, for example, and configure to supply the name in the request instead of from AD.

Getting anything resembling autoenrollment is not likely realistic if these instructions seem complicated.

Depends on how many clients you're talking about...  if it is just a few boxes you could manually create a Certificate Signing Request (CSR) file and submit that to the CA.  This is fairly easy to script with OpenSSL on the Mac and either using the certsrv page or certreq -submit command line from your Windows workstation.

Create private key and then use that to create the CSR file:
openssl genrsa -aes256 -out YourSite.key 2048
openssl req -new -sha1 -key YourSite.key -out YourSite.csr

Issue cert:
certreq -submit -attrib certificatetemplate:TEMPLATENAME\nSAN:dns=hostname&dns=hostname.domain.local -config CASERVERNAME\CANAME -f PATH\YourSite.csr PATH\YourSite.cer

If you are on XP then you need to install 2003 SP1 adminpak to get certreq & certutil, anything newer it should be there already.

ALL CAPS are variables above... enter 'certutil' from a cmd box and press enter (no -switches) and it should return "Config" somewhere in the middle for CASERVERNAME\CANAME.  The template name should be the name with no spaces as shown in the first half of each line from 'certutil -config CASERVERNAME\CANAME -catemplates'

If you put this into a batch file, you may need to use ^& for & if you are using the SAN.  If there is no SAN then leave out the \nSAN:dns=... part.

If you have a lot of these to do (lets say over 50) then let me know and I can put up a couple scripts to automate.

Remember to check for expiring certificates or set calendar reminders or something so they don't all expire on you, since they will not autoenroll.

I don't really do much with macs to validate that openssl would work instead of the mentioned GUI, however it is a strongly educated guess that the GUI probably uses openssl under the hood like most linux/unix apps.  It would probably be worth doing one using the GUI so you know what it should look like for different values.  If not, find a macro program to automate the clicks!
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now