Adding a self-signed Casper Root CA as a trusted root
Since Elliot Jordan’s presentation at JAMF Nation User Conference 2014, I’ve started using AutoPkgr in combination with Shea Craig’s JSSImporter to automatically package and upload a number of software packages to my Casper servers.
Having AutoPkgr handle this task has been great, but I’ve had to do some additional work to make sure that JSSImporter was OK with Casper using SSL certificates issued by its own internal certificate authority instead of by a third-party external certificate authority like Verisign. On top of that, the urllib3 library used by JSSImporter added a new warning that is triggered by HTTPS requests that use an certificate that can’t be validated. Since the Casper server was signing its own certificates using its own internal certificate authority, this warning was being triggered on every AutoPkg recipes’ run, which sometimes resulted in interesting emails like the one below.
I could have installed the Casper agent on the VM that I was using to host AutoPkgr, which would have installed the root certificate for the Casper server’s internal certificate authority. However, I didn’t necessarily want to have Casper manage the VM as that would have consumed one of my available Casper licenses on a machine that didn’t need management.
However, I did want to get the root certificate for the Casper server’s internal certificate authority installed on the VM. That would allow the Casper server’s SSL certificate to be recognized as a validated certificate and fix the issues I was having with not having a validated certificate.
For details on how I fixed this, see below the jump.
If you’re using a Casper JSS’s built-in certificate authority, here’s how to download and install the built-in CA’s root certificate on your Macs.
1. Log into your Casper server.
2. Go to Management Settings
3. Select Global Management
4. In the Global Management settings, select PKI
5. In the PKI settings, click on the Download CA Certificate button.
This will download a copy of the built-in CA’s root certificate as a .pem file
Once you have the .pem file downloaded, you can import it into the System keychain using the command line or via Keychain Access.
Adding a trusted root via Keychain Access
1. Log into the Mac using an account that has admin privileges
2. Verify that you have the downloaded .pem file available
3. Open Keychain Access
4. Select the System keychain in Keychain Access.
5. Double-click on the .pem file
6. In the Add Certificates window that appears next, verify that the selected keychain is System and then click the Add button.
7. Authenticate when prompted to modify the System keychain.
8. When prompted, click the Always Trust button.
9. Authenticate when prompted to modify the System Certificate Trust Settings.
10. Verify that the imported root certificate is now showing up as trusted for all users.
Once the root certificate has been installed and set to be trusted, the Casper server’s certificate should be recognized by AutoPkgr and the urllib3 library as a validated SSL certificate.