Questions:
What is the configuration necessary for Mac systems to successfully receive auto-enrolled workstation-authentication certificates?
Answer:
On the CA server:
- Go to the Start menu > Run > mmc.exe > File > Add/Remove Snap In...
- Add > Certificate Templates
- Add > Certificate Authority > Select Local (or the target CA to be configured) > OK
- In the console, go to Certificate Templates and duplicate the Workstation Authentication certificate (right-click > All Tasks > Duplicate Template):
- Give it a meaningful name, e.g. "Mac Auto-Enroll Certs" and then configure the following properties:
- Extensions tab > Application Policies > Edit... > Add... > Server Authentication
(Client Authentication should already be in the Application policy list)
- Subject Name > "Build this from AD information" >
- Security tab > Allow Enroll & Autoenroll permissions for the appropriate AD groups
(i.e. Domain Computers)
- Note: Additional properties may also be need to be configured; depending on the target environment and desired usage of the certificate.
- Go into the Certification Authority section > [domain] > Right-click on Certificate Template > New > "Certificate Template to Issue" > Scroll to the newly created template and add it to the list.
- Enable the Group Policy at:
- Windows 2003
- Computer Configuration / Windows Settings / Security Settings / Public Key Policies / "Autoenrollment Settings"
- Windows 2008
- Computer Configuration / Windows Settings / Security Settings / Public Key Policies / "Certificate Services Client - Auto-Enrollment Settings"
- Select the renew and update options as needed.
-
Go to the Mac and pull down the certs immediately by opening the Terminal and running:
sudo adflush
adgpupdate
- When the operation completes, check that the certificates have been downloaded into Keychain Access. They should also appear in the location: /var/centrify/net/certs/
- Check also on the CA server by looking in the Certification Authority (certsrv.msc) and looking the Issued Certificates folder.
Note 1:
Support for using this type of certificate for authenticating into 802.1x networks was introduced in Centrify Suite 2013.2 (Mac agent 5.1.1). For further configuration steps on how to setup the 802.1x authentication profile via group policy, please the Centrify Admin Guide for Mac OS X:
Note 2:
For auto-enrollment of user certificates, see:
Note 3:
See also the following KB for troubleshooting tips: