How to request a certificate from a Microsoft Certificate Authority using DCE/RPC and the Active Directory Certificate profile payload

Learn how to request a certificate from a Microsoft Certificate Authority using DCE/RPC and the Active Directory Certificate profile payload.

With OS X Lion and later, you can acquire a certificate from a Microsoft Certificate Authority using the com.apple.adcertificate.managed profile payload. Mountain Lion transitions to the use of the DCE/RPC protocol. DCE/RPC bypasses the need for a web-enabled Certificate Authority (CA). It also offers more flexibility for choosing the certificate template to use for issuance.

Mountain Lion and later offer full support for Active Directory Certificate profiles in the web UI of Profile Manager. Active Directory Certificate profiles for computers or users can be deployed to client devices using either automatic push or manual download.

This article applies to:

  • OS X Mountain Lion clients and OS X Server (Mountain Lion)
  • OS X Mavericks clients and OS X Server (Mavericks)
  • OS X Yosemite clients and OS X Server (Yosemite)

Read this article for information about OS X Lion clients.

Certificate renewal information for OS X Mavericks and Yosemite clients is available here.

Network and system requirements

  • A valid Active Directory (AD) domain
  • A working Microsoft Active Directory Certificate Services CA
  • An OS X Mountain Lion or later client system bound to Active Directory

Profile deployment

OS X Lion and later support configuration profiles. Many system and account settings can be defined with profiles. Various methods exist for delivering profiles to OS X clients. OS X Server’s Profile Manager serves as the primary example for profile delivery in this article. Other methods as simple as double-clicking on a .mobileconfig file in the Finder, or as complex as a third-party Mobile Device Management (MDM) server, can also be used to install profiles on client computers using OS X Mountain Lion or later. 

Payload details

The Profile Manager interface for defining an Active Directory Certificate payload contains the following fields.

  • Description: Supply a brief description of the profile payload.
  • Certificate Server: Supply the fully qualified host name of your CA.  Do not preface the hostname with ‘http://’.
  • Certificate Authority: Supply the ‘short name’ of your CA.  This value can be determined from the CN of the Active Directory entry - CN=<your CA name>, CN=Certification Authorities, CN=Public Key Services, CN=Services, CN=Configuration, <your base DN>
  • Certificate Template: Supply the desired certificate template in your environment.  The default user certificate value is ‘User’.  The default computer certificate value is ‘Machine’.
  • Prompt for credentials: Disregard this option for computer certificates.  For user certificates, this setting only applies if Manual Download is the chosen method of profile delivery.  The user will then be prompted for credentials when the profile is installed
  • Username: Disregard this field for computer certificates. For user certificates, if desired - supply an Active Directory username as the basis for the requested certificate.
  • Password: Disregard this field for computer certificates. For user certificates, if desired - supply the password associated with the Active Directory username supplied.

Computer certificate

Additional requirements

  • OS X Server with Profile Manager service enabled for Device Management and bound to Active Directory

Supported Active Directory Certificate profile combinations

  • Computer/machine certificate only, automatically delivered to Mountain Lion client
  • Certificate integrated into Network profile for EAP-TLS 802.1x authentication
  • Certificate integrated into VPN profile for machine-based certificate authentication
  • Certificate integrated into both Network/EAP-TLS and VPN profiles

Profile Manager payload deployment

  1. Bind the Mountain Lion or later client to Active Directory.  This bind can occur using a profile, GUI on client, or CLI on client.
  2. Install the issuing CA or other CA certificate on the client to ensure that it has a complete trust chain. This installation can also be done using a profile.
  3. Determine whether the Active Directory Certificate profile will be delivered using Automatic Push or Manual Download for the device or device group profile.

  4. (Optional) If automatic push is the chosen method for profile delivery, enroll the client using OS X Server’s Profile Manager Device Management.
  5. Define the Active Directory Certificate payload for an enrolled device or a device group. See above for payload field descriptions.

  6. (Optional) Define a network payload for wired or wireless TLS for the same device or device group profile. Select the configured Active Directory Certificate payload as the credential. The payload can be defined for either Wi-Fi or Ethernet

  7. (Optional) Define an IPSec (Cisco) VPN profile via device or device group—select the configured Active Directory Certificate payload as the credential.


    • Certificate-based machine authentication is only supported for IPSec (Cisco) VPN tunnels, other VPN types require different authentication methods.
    • The account name field can be populated with a placeholder string.
  8. Save the profile. Automatic push: The profile deploys to the enrolled computer over the network. Active Directory Certificate uses the computer’s Active Directory credentials to populate the certificate signing request (CSR).
  9. (If manual download) Connect to the Profile Manager’s user portal from the client.
  10. (If manual download) Install the available device or device group profile.
  11. Verify that the new private key and certificate now reside in the System keychain on the client.

A device profile combining Certificate, Directory, Active Directory Certificate, Network (TLS), and VPN payloads can be deployed.  The client processes the payloads in the proper order to ensure that each payload action occurs successfully.

User certificate

Additional requirements

  • OS X Server with Profile Manager service enabled for Device Management and bound to Active Directory
  • An Active Directory account with access to the Profile Management service

Supported Active Directory Certificate profile combinations

  • User certificate only, automatically delivered to clients using OS X Mountain Lion or later
  • Certificate integrated into Network profile for EAP-TLS 802.1x authentication

Profile Manager payload deployment

  1. Bind the client to Active Directory.  This bind can occur via profile, GUI on client, or CLI on client.
  2. Enable Active Directory mobile account creation on the client per your environment's policy. This feature can be enabled using a profile (Mobility), GUI on the client, or the command line on the client like the following:

     

    sudo dsconfigad -mobile enable

     

  3. Install the issuing CA or other CA certificate on the client to ensure that it has a complete trust chain. This installation can occur using a profile.
  4. Determine whether the Active Directory Certificate profile will be delivered via Automatic Push or Manual Download for the Active Directory user or a user group profile. The user or group must be granted access to the Profile Manager service.


  5. (Optional) If automatic push is the chosen method for profile delivery, enroll the client using OS X Server’s Profile Manager Device Management. When enrolling, make sure to associate the client computer with the Active Directory user mentioned above.
  6. Define the Active Directory Certificate payload for the same Active Directory user or group profile. See above for payload field descriptions.

  7. (Optional) Define a network payload for wired or wireless TLS for the same Active Directory user or group profile - select the configured Active Directory Certificate payload as the credential. The payload can be defined for either Wi-Fi or Ethernet.


  8. Log in to the client as the Active Directory user account with access to the Profile Manager service. Automatic push: Login on the client computer by the Active Directory user account will obtain the necessary Kerberos Ticket Granting Ticket (TGT).  The TGT serves as the identity template for the requested user certificate.
  9. (If manual download) Connect to the Profile Manager’s user portal.
  10. (If manual download) Install the available user or group profile.
  11. (If manual download) Supply the username or password if prompted.
  12. Launch Keychain Access and verify that the login keychain now contains a private key and user certificate issued by the Microsoft CA in your environment.

A user profile combining Certificate, Active Directory Certificate, and Network (TLS) can be deployed. Clients using OS X Mountain Lion or later process the payloads in the proper order to ensure that each payload action occurs successfully.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.
Last Modified:
Helpful?

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)