Enroll Macs /w our Microsoft CA

Posted on 2011-10-11
Last Modified: 2012-05-12
We have a Microsoft CA and we need out Macs to Enroll or Auto-enroll and receive a computer certificate so that they can connect to a secure wireless with that cert.

How can we make this happen in OS X 10.4-10.7?
Question by:ServDeskKnows
    LVL 3

    Expert Comment

    It's not an easy process, but have a look at this page:

    Author Comment

    sofsol: Thanks for the link.  It looks like a messier solution than I was hoping for, but unless anyone has a more straight forward option I'll give that a whirl.
    LVL 31

    Accepted Solution

    That article has the general gist of what needs to be done.  From there you may need to interpret a little bit for your environment.

    First of all note that those instructions describe a stand-alone CA instead of an Enterprise CA, where most of the attributes would already be enabled (except maybe the SAN, but that is common to enable when first installing the CA).  What this means is all the policy file stuff and manually setting the attributes doesn't need to be done if you pick a machine template that already has the client authentication attribute set.  Duplicate a workstation template, for example, and configure to supply the name in the request instead of from AD.

    Getting anything resembling autoenrollment is not likely realistic if these instructions seem complicated.

    Depends on how many clients you're talking about...  if it is just a few boxes you could manually create a Certificate Signing Request (CSR) file and submit that to the CA.  This is fairly easy to script with OpenSSL on the Mac and either using the certsrv page or certreq -submit command line from your Windows workstation.

    Create private key and then use that to create the CSR file:
    openssl genrsa -aes256 -out YourSite.key 2048
    openssl req -new -sha1 -key YourSite.key -out YourSite.csr

    Issue cert:
    certreq -submit -attrib certificatetemplate:TEMPLATENAME\nSAN:dns=hostname&dns=hostname.domain.local -config CASERVERNAME\CANAME -f PATH\YourSite.csr PATH\YourSite.cer

    If you are on XP then you need to install 2003 SP1 adminpak to get certreq & certutil, anything newer it should be there already.

    ALL CAPS are variables above... enter 'certutil' from a cmd box and press enter (no -switches) and it should return "Config" somewhere in the middle for CASERVERNAME\CANAME.  The template name should be the name with no spaces as shown in the first half of each line from 'certutil -config CASERVERNAME\CANAME -catemplates'

    If you put this into a batch file, you may need to use ^& for & if you are using the SAN.  If there is no SAN then leave out the \nSAN:dns=... part.

    If you have a lot of these to do (lets say over 50) then let me know and I can put up a couple scripts to automate.

    Remember to check for expiring certificates or set calendar reminders or something so they don't all expire on you, since they will not autoenroll.

    I don't really do much with macs to validate that openssl would work instead of the mentioned GUI, however it is a strongly educated guess that the GUI probably uses openssl under the hood like most linux/unix apps.  It would probably be worth doing one using the GUI so you know what it should look like for different values.  If not, find a macro program to automate the clicks!
    LVL 27

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now