How to request a certificate from a Microsoft Certificate Authority using DCE/RPC and the Active Directory Certificate profile payload

Summary

Learn how to request a certificate from a Microsoft Certificate Authority using DCE/RPC and the Active Directory Certificate profile payload.

Products Affected

OS X Server (Mountain Lion)

OS X Lion introduced the ability to acquire a certificate from a Microsoft Certificate Authority via the com.apple.adcertificate.managed profile payload. Mountain Lion transitions to the use of the DCE/RPC protocol. DCE/RPC bypasses the need for a web-enabled Certificate Authority (CA).  It also offers more flexibility for choosing the certificate template to use for issuance. Mountain Lion offers full support for Active Directory Certificate in the web UI of Profile Manager.  Active Directory Certificate profiles for computers or users can be deployed to Mountain Lion client devices via either automatic push or manual download.

Note: This article is valid for use with OS X Server with Mountain Lion clients only.  See article HT4784 for information about OS X Lion clients.

Network and system requirements

  • A valid Active Directory (AD) domain
  • A working Microsoft Active Directory Certificate Services CA
  • An OS X Mountain Lion client system bound to Active Directory

Profile deployment

OS X Lion and OS X Mountain Lion support configuration profiles.  Many system and account settings can be defined with profiles.  Various methods exist for delivering profiles to OS X clients.  Mountain Lion Server’s Profile Manager will serve as the primary example for profile delivery in this article.  Other methods as simple as double-clicking on a .mobileconfig file in the Finder or as complex as a third-party MDM server can also be used to install profiles on a Mountain Lion client. 

Payload details

The Profile Manager interface for defining an Active Directory Certificate payload contains the following fields.

  • Description: Supply a brief description of the profile payload.
  • Certificate Server:  Supply the fully qualified host name of your CA.  Do not preface the hostname with ‘http://’.
  • Certificate Authority:  Supply the ‘short name’ of your CA.  This value can be determined from the CN of the Active Directory entry - CN=<your CA name>, CN=Certification Authorities, CN=Public Key Services, CN=Services, CN=Configuration, <your base DN>
  • Certificate Template:  Supply the desired certificate template in your environment.  The default user certificate value is ‘User’.  The default computer certificate value is ‘Machine’.
  • Prompt for credentials:  Disregard this option for computer certificates.  For user certificates, this setting only applies if Manual Download is the chosen method of profile delivery.  The user will then be prompted for credentials when the profile is installed
  • Username:  Disregard this field for computer certificates. For user certificates, if desired - supply an Active Directory username as the basis for the requested certificate.
  • Password:  Disregard this field for computer certificates. For user certificates, if desired - supply the password associated with the Active Directory username supplied.

Computer certificate

Additional requirements

  • OS X Server with Profile Manager service enabled for Device Management and bound to Active Directory

Supported Active Directory Certificate profile combinations

  • Computer/machine certificate only, automatically delivered to Mountain Lion client
  • Certificate integrated into Network profile for EAP-TLS 802.1x authentication
  • Certificate integrated into VPN profile for machine-based certificate authentication
  • Certificate integrated into both Network/EAP-TLS and VPN profiles

Profile Manager payload deployment

  1. Bind the Mountain Lion client to Active Directory.  This bind can occur via profile, GUI on client, or CLI on client.
  2. Install the issuing CA or other CA certificate on the Mountain Lion client to ensure that the client has a complete trust chain.  This installation can also occur via profile.
  3. Determine whether the Active Directory Certificate profile will be delivered via Automatic Push or Manual Download for the device or device group profile.


  4. (Optional) If automatic push is the chosen method for profile delivery, enroll the Mountain Lion client with Mountain Lion Server’s Profile Manager Device Management.
  5. Define the Active Directory Certificate payload for an enrolled device or a device group.  See above for payload field descriptions.

  6. (Optional) Define a network payload for wired or wireless TLS for the same device or device group profile - select the configured Active Directory Certificate payload as the credential.
     


     

    • the payload can be defined for either Wi-Fi or Ethernet
       
  7. (Optional) Define an IPSec (Cisco) VPN profile via device or device group - select the configured Active Directory Certificate payload as the credential.



     

    • certificate-based machine authentication is only supported for IPSec (Cisco) VPN tunnels, other VPN types require different authentication methods
    • the account name field can be populated with a placeholder string
       
  8. Save the profile. Automatic push: The profile will deploy to the enrolled computer over the network.  Active Directory Certificate will utilize the computer’s Active Directory credentials to populate the certificate signing request (CSR).
  9. (If manual download) Connect to the Profile Manager’s user portal from the Mountain Lion client.
  10. (If manual download) Install the available device or device group profile.
  11. Verify that the new private key and certificate now reside in the System keychain on the Mountain Lion client.

Note: A device profile combining Certificate, Directory, Active Directory Certificate, Network (TLS), and VPN payloads can be deployed.  The Mountain Lion client will process the payloads in the proper order to ensure that each payload action occurs successfully.

User certificate

Additional requirements

  • OS X Server with Profile Manager service enabled for Device Management and bound to Active Directory
  • An Active Directory account with access to the Profile Management service

Supported Active Directory Certificate profile combinations

  • User certificate only, automatically delivered to Mountain Lion client
  • Certificate integrated into Network profile for EAP-TLS 802.1x authentication

Profile Manager payload deployment 

  1. Bind the Mountain Lion client to Active Directory.  This bind can occur via profile, GUI on client, or CLI on client.
  2. Enable Active Directory mobile account creation on the Mountain Lion client per your environment's policy.  This feature can be enabled via profile (Mobility), GUI on the client, or the command line on the client, such as:
    sudo dsconfigad -mobile enable
  3. Install the issuing CA or other CA certificate on the Mountain Lion client to ensure that the client has a complete trust chain.  This installation can occur via profile.
  4. Determine whether the Active Directory Certificate profile will be delivered via Automatic Push or Manual Download for the Active Directory user or a user group profile.  The user or group must be granted access to the Profile Manager service.
     


     

  5. (Optional) If automatic push is the chosen method for profile delivery, enroll the Mountain Lion client with Mountain Lion Server’s Profile Manager Device Management.  When enrolling, make sure to associate the client computer with the Active Directory user mentioned above.
  6. Define the Active Directory Certificate payload for the same Active Directory user or group profile.  See above for payload field descriptions.

  7. (Optional) Define a network payload for wired or wireless TLS for the same Active Directory user or group profile - select the configured Active Directory Certificate payload as the credential.
     


     

    • The payload can be defined for either Wi-Fi or Ethernet.
       
  8. Log in to the Mountain Lion client as the Active Directory user account with access to the Profile Manager service. Automatic push: Login on the client computer by the Active Directory user account will obtain the necessary Kerberos Ticket Granting Ticket (TGT).  The TGT will serve as the identity template for the requested user certificate.
  9. (If manual download) Connect to the Profile Manager’s user portal.
  10. (If manual download) Install the available user or group profile.
  11. (If manual download) Supply the username or password if prompted.
  12. Launch Keychain Access and verify that the login keychain now contains a private key and user certificate issued by the Microsoft CA in your environment.

Note: A user profile combining Certificate, Active Directory Certificate, and Network (TLS) can be deployed. The Mountain Lion client will process the payloads in the proper order to ensure that each payload action occurs successfully.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.
Not helpful Somewhat helpful Helpful Very helpful Solved my problem