Home > AutoPkg, Casper, JSS, Mac administration, Mac OS X > Adding a self-signed Casper Root CA as a trusted root

Adding a self-signed Casper Root CA as a trusted root

Since Elliot Jordan’s presentation at JAMF Nation User Conference 2014, I’ve started using AutoPkgr in combination with Shea Craig’s JSSImporter to automatically package and upload a number of software packages to my Casper servers.

Having AutoPkgr handle this task has been great, but I’ve had to do some additional work to make sure that JSSImporter was OK with Casper using SSL certificates issued by its own internal certificate authority instead of by a third-party external certificate authority like Verisign. On top of that, the urllib3 library used by JSSImporter added a new warning that is triggered by HTTPS requests that use an certificate that can’t be validated. Since the Casper server was signing its own certificates using its own internal certificate authority, this warning was being triggered on every AutoPkg recipes’ run, which sometimes resulted in interesting emails like the one below.

Screen Shot 2014-12-24 at 9.26.24 AM

I could have installed the Casper agent on the VM that I was using to host AutoPkgr, which would have installed the root certificate for the Casper server’s internal certificate authority. However, I didn’t necessarily want to have Casper manage the VM as that would have consumed one of my available Casper licenses on a machine that didn’t need management.

However, I did want to get the root certificate for the Casper server’s internal certificate authority installed on the VM. That would allow the Casper server’s SSL certificate to be recognized as a validated certificate and fix the issues I was having with not having a validated certificate.

For details on how I fixed this, see below the jump.

If you’re using a Casper JSS’s built-in certificate authority, here’s how to download and install the built-in CA’s root certificate on your Macs.

1. Log into your Casper server.

2. Go to Management Settings

Screen Shot 2014-12-23 at 8.22.29 AM

3. Select Global Management

4. In the Global Management settings, select PKI

Screen Shot 2014-12-23 at 8.23.23 AM

5. In the PKI settings, click on the Download CA Certificate button.

Screen Shot 2014-12-23 at 8.24.18 AM

This will download a copy of the built-in CA’s root certificate as a .pem file

Screen Shot 2014-12-23 at 8.32.11 AM

Once you have the .pem file downloaded, you can import it into the System keychain using the command line or via Keychain Access.

Adding a trusted root via Keychain Access

1. Log into the Mac using an account that has admin privileges

2. Verify that you have the downloaded .pem file available

3. Open Keychain Access

Screen Shot 2014-12-24 at 9.55.24 AM

4. Select the System keychain in Keychain Access.

Screen Shot 2014-12-24 at 9.55.33 AM

5. Double-click on the .pem file

6. In the Add Certificates window that appears next, verify that the selected keychain is System and then click the Add button.

Screen Shot 2014-12-23 at 8.33.00 AM

7. Authenticate when prompted to modify the System keychain.

Screen Shot 2014-12-23 at 8.33.20 AM

8. When prompted, click the Always Trust button.

Screen Shot 2014-12-23 at 8.33.31 AM

9. Authenticate when prompted to modify the System Certificate Trust Settings.

Screen Shot 2014-12-23 at 8.34.29 AM

10. Verify that the imported root certificate is now showing up as trusted for all users.

Screen Shot 2014-12-23 at 8.35.12 AM

Once the root certificate has been installed and set to be trusted, the Casper server’s certificate should be recognized by AutoPkgr and the urllib3 library as a validated SSL certificate.

  1. January 3, 2015 at 2:53 am

    Hey Rich, just a heads up, I added a preference key to squelch the Urllib3 warnings!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: