Articles September 21, 2011 at 2:29 pm

Certificate Requests in Lion

While in Snow Leopard you may have had to script you way to fame and money to get your Mac to get a certificate from a Microsoft CA, in Lion it's mostly done for you.

Take a look at this support document for the gory details on using a profile to get your Mac to request a certificate. 

Note that you can do all of this by hand, or by script, in XML and then distribute through whatever means you want to your Lion systems.


  • So has anyone gotten this to work with 10.7.1 or 10.7.2?

    • it’s christmas in september!

    • I’d start by checking the logs on your Windows CA for any cert generation errors. However if you can’t use the machine account to login to the web CA via Safari, then you probably have other issues you’re going to need to overcome before this works.

      • Agreed, but I would expect to see the machine’s ticket in Ticket Viewer as I could in Snow Leopard. I had all this nicely automated with a script (with help from an article on this site) for SL using the same cert servers. This no longer works in Lion anyway since the necessary networksetup command switches became ‘unsupported’.

        I didn”t see any certificate related errors on the server but wouldn’t expect to if the machine isn’t presenting a valid ticket. My hunch is that the move from MIT to Heidmal has had some effect on this process, and some as yet undocumented manual fix is needed to make it work again.
        Does anyone else see a machine ticket in Ticket Viewer after submitting the kinit command?

  • So have security concerns regarding the private key been addressed in Mac OS X Lion, as well?

    I echo the issue about exporting the private key raised on the original article for Snow Leopard, as it affects me at my current organization, as well. The direct link to the relevant comment is:

    • If you do this manually via a script you can import the key with "security import -x" which will prevent the private key from being exported. This applies to Snow as well.

Leave a reply

You must be logged in to post a comment.