You are not logged in.

Announcement

[2017.09.08] DeployStudio build v1.7.8 (checksum, release note).
[2016.08.26] DeployStudio build v1.6.19 (release note).
[2013.02.23] DeployStudio last universal build v1.5.17 (release note).

#1 2014-06-16 13:10:22

jelockwood
Member
Registered: 2009-11-11

Request: Workflow step to install self-signed rootCA

Many organisations I suspect will be using a self-signed rootCA certificate to generate server certificates for their various servers. These servers may include the Open Directory server, Munki server, etc. While it would be possible to include and trust a self-signed rootCA certificate in a custom/monolithic image of a pre-configured Mac, this is not possible if one is using a thin never booted image. (A choice increasingly common these days.)

I tried making an installer package to install and trust my self-signed rootCA and this works fine when run manually and would I suspect work fine as a postponed install but unfortunately it does not work as a non-postponed install. It is therefore not possible to get it to run successfully before the joining to Open Directory step. If your Open Directory is using SSL this maybe necessary.

Unless someone can suggest a way to install and trust a self-signed rootCA during a workflow as a non-postponed step and therefore make it possible to do before joining Open Directory I therefore would like to request a new workflow option to take a selected rootCA and to install and trust it. This step would be somewhat like the step already available for installing a trusted Certificate Authority as part of enrolling to an MDM.

It should be noted that if your MDM enrolment workflow step uses the same self-signed rootCA and you run this before joining Open Directory then this does work in that it does install and trust the self-signed rootCA as a non-postponed step. However this is only a valid solution if of course you do have an MDM to enrol with which would not apply to everyone.

For the benefit of others the command line command I would normally use to install and trust the self-signed rootCA is as follows.

sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/path/to/rootCA.crt"

Offline

#2 2014-06-17 08:31:52

homerdjw
Member
From: London, England
Registered: 2013-01-24
Website

Re: Request: Workflow step to install self-signed rootCA

Hi Jelockwood.

The problem you have is that you need to run a command to get the OS to accept the cert. This command only works on the OS it is booted to and not another volume. This is a limitation of the command and I don't think there is a way to make this available in the manner you suggest.

To see the viability, I'd suggest try running your script / command with a Mac in Target disk mode and try and get that cert into the non-booted OS. You'll have the same problem.

What is the requirement to have the certificate already in the image rather then a postponed install?

Darren

Offline

#3 2014-06-18 11:38:42

jbygden
Member
Registered: 2014-06-18

Re: Request: Workflow step to install self-signed rootCA

I'm trying to achieve this as well. My followup question would be: Where are the Target disk mounted after restore, during the finalize phase? and For scripts set to run postponed (on first boot after restoration), where are those scripts located at that time, and can those scripts access the "server folder" on the DS-server where they, files and pkgs are stored? If so, where is that mounted?

/Jonas

Offline

#4 2014-06-18 12:36:35

jbygden
Member
Registered: 2014-06-18

Re: Request: Workflow step to install self-signed rootCA

> jbygden wrote:

> I'm trying to achieve this as well. My followup question would be: Where are the Target disk mounted after restore, during the finalize phase? and For scripts set to run postponed (on first boot after restoration), where are those scripts located at that time, and can those scripts access the "server folder" on the DS-server where they, files and pkgs are stored? If so, where is that mounted?

Ok, I found this out by myself - wasn't so hard.

The target disk is mounted under /Volumes/Machintosh\ HD (if that's the volume name) and the repository from the DS-server is mounted @ /private/var/tmp/DSNetworkRepository

Offline

#5 2014-09-04 07:23:35

HarryPoter
Member
Registered: 2014-09-04

Re: Request: Workflow step to install self-signed rootCA

It should be noted that if your MDM enrolment workflow step uses the same self-signed rootCA and you run this before joining Open Directory then this does work in that it does install and trust the self-signed rootCA as a non-postponed step. However this is only a valid solution if of course you do have an MDM to enrol with which would not apply to everyone.

Last edited by HarryPoter (2014-09-22 07:46:22)

Offline

Board footer

Powered by FluxBB