Certificate Request is a macOS utility app to request and install X.509 certificates from Active Directory. This user guide explains how to use Certificate Request and how to acquire generated certificates to configure common services.

Requirements

Certificate Request requires macOS 10.12 or later and a network connection to an Active Directory system (Windows Server 2003 or later). You will need Active Directory credentials to authenticate and receive a kerberos ticket.

User Interface

The main interface of Certificate Request is divided into 2 sections: The submission information section and certificate storage info section.

The submission information section has all the information to submit the certificate request (called a certificate signing request, or CSR).

The Certificate Storage Info section defines where the private key is generated and where the signed certificate is stored after receiving it back from Active Directory.

Submission Information Section

When the Certificate Request utility is launched, it will check the credential cache and prompt the user for an Active Directory username and password if the user has not authenticated already. Once there are credentials in the kerberos credential store, Certificate Request will request and populate the Active Directory information in the Submission Information Section.

  1. Root Certificate. This is the certificate provided by the Active Directory Certificate Authority, and is used to validate any certificates issued by the Certificate Authority. It is automatically downloaded from Active Directory. To install the Root Certificate into the macOS keychain, click the Root Certificate button and select the option to trust the certificate. This will add the Root Certificate to the macOS keychain.
  2. Certificate Authority DNS name. This is the DNS name of the Active Directory Certificate Authority. All submissions will be sent to this server.
  3. Certificate Authority Name. This is the name defined in Active Directory for the Certificate Authority. It will be automatically discovered and populated from Active Directory.
  4. Template. This is the list of templates available on the Certificate Authority that can be used when requesting a certificate. Note that although all Certificate Authority templates available are shown, not all templates can be used. Template use depends on whether the template has been issued by the Certificate Authority and if your credentials allow you to use that template. More information on templates can be found here.
  5. Common Name. A certificate typically contains user specific information, such as an email address, and a common name is usually provided by the Certificate Authority. Note that Active Directory typically populates the common name from information about the user in Active Directory, and the common name specified here is not always used.

Certificate Storage Info section

macOS uses certificates to authenticate to services such as Mail, VPN, Wireless, and more, most typically in enterprise environments. Configurations on macOS typically use the certificates store in the user’s default login keychain. Some services can be configured to use certificates stored in a YubiKey hardware encryption device. The Certificate Storage Information specifies where to store the certificate and private key acquired by Certificate Request.

  1. Keychain. The certificate and private key requested will be stored in the user’s login keychain.
  2. YubiKey.  The certificate and private key requested will be stored in the YubiKey hardware device using specified slot and management key.
  3. Credentials. If the user has credentials in the kerberos cache (either by logging in at the login window or from another mechanism such as kinit), the principal names will be shown here. If there are multiple principals, select one from the popup menu to use for certificate submission.
  4. Request and Install Certificate button. Request and Install Certificate button. Click to generate a private key, submit the certificate request, and install the signed certificate.

Authentication Menu

Use the authentication menu to obtain and destroy credentials. When either the Obtain Credentials or the Destroy Credentials is selected, a login sheet will appear:

.

Keychain

When a certificate is installed by Certificate Request, it can be viewed by opening Keychain Access in the Utilities folder. Select the user’s keychain and My Certificates under Category as shown below.

YubiKey

To use the YubiKey with Certificate Request, it must be in CCID Mode. The CCID mode is changed in the YubiKey NEO Manager which can be downloaded from Yubico.  You can change the mode using the YubiKey NEO Manager as shown below:

Prior to submitting the certificate request in Certificate Request, prepare the YubiKey using the YubiKey PIV manager, which can be downloaded from yubico.com. Set a management password and do not set the option to use the PIN as a management key, or it will not work with Certificate Request.

When a certificate is installed, it can be viewed by downloading and viewing in the YubiKey PIV Manager as shown below:

Command Line Tool

Certificate Request also comes with a full featured command line tool as well. It is located inside the app bundle at :


/Applications/Certificate Request/Contents/Resources/tcscertrequest

Running the command line utility without any option will give instructions on how to use the tool:


MachPower:~ tperfitt$ /Applications/Certificate Request.app/Contents/Resources/tcscertrequest

tcscertrequest  -s <server dns name> -c <name of ca> -t <template name> [-r <csr path>] [-k <path_to_keychain>] [-y] [-m <yubikey_management_key] [-s <yubikey slot]

tcscertrequest is a command line tool to send a certificate request via RPCs to a Microsoft certificate authority.

Options:

-r <csr path>           Path to certificate signing request in binary (DER) format. Can use "openssl req -nodes -newkey rsa:2048 -keyout domain.key -out domain.csr -subj '/CN=computername' -outform der" command to generate.

-g <Common Name>        Generate CSR with Common Name. Certificate will be generated with RSA 2048 bits SHA512

-n <label>              Label in keychain for imported identity

-s <server path>        CA Server DNS name.

-c <name of ca>         Name of the certificate authority.  This is not the server name but the name used in the Common Name of the issuing authority.

-k <path to keychain>   keychain to store certificate and private key. Stores in user keychain if not specified.

-y                      generate key in Yubikey.  Requires slot (-l) and management key (-m)

-l <Yubikey slot>       Specify yubikey slot. For example, 9a. Requires -y.

-m                      Yubikey management key. PIN not supported. Must use full management key. Requires -y.

-t <template name>      Name of the template to use when signing the certificate. Common template names include User or Machine.

-v                      Verbose output

For example:

/Applications/Certificate\ Request.app/Contents/Resources/tcscertrequest -s WIN-FGIVT3J3GI9.twocanoes.com -c "TCS CA" -t "User"

Configuring Services

Once Certificate Request has installed the certificate in the keychain or the YubiKey, the certificate can be used to configure services. Most apps have an option in preferences to select a certificate when configuring access to a Windows service. Simply select the generated certificate from the app or configuration for the service. This section shows common macOS services to configure.

Mail

When configuring mail, a certificate can be specified when configuring Advanced IMAP settings under Accounts for IMAP configuration. A sheet will appear to select the generated certificate.

A similar setting can be specified in Mail for Exchange settings under Advanced Exchange Settings:

Exchange in Outlook

Outlook for the Mac can be configured to use certificate based authentication, as shown below, when setting up an Exchange account:

VPN

Most VPN clients support either second factor authentication with certificates, or certificate based authentication. The VPN on macOS supports second factor authentication with certificates. To set up VPN, go to System Preferences and select Network. In the Network Pane, click the “+” button in the lower left corner, and set up as shown below:

When configuring the VPN service, select the installed certificate.

Getting a Machine Certificate

Some services on macOS require a Machine certificate from Active Directory. The kerberos credentials must be from a computer account in Active Directory, and the correct template must be selected, which is commonly a template called Machine. If the Mac is bound to Active Directory, getting a Machine certificate is easy. Open Directory Utility by searching in spotlight, and find out the computer ID:

Now that you have the Computer ID, you will need a kerberos ticket. To get a kerberos ticket as the shown computer, run the following command in terminal:

sudo kinit -k '<machinename>$'

For the example above, it would be:

sudo kinit -k 'machpower$'

Launch Certificate Request, and the machine credentials will be shown in the popup menu:

The certificate can then be requested and will be installed in the keychain:

Since machine certificates are used by macOS configurations (like WiFi) that are used by all users, the certificate is typically found in a location accessible to all users. Certificates and private keys stored in the System keychain are accessible by all users on the Mac. Therefore, to move the machine certificate to the System keychain so that it will be accessible by all users, drag the machine certificate to the System keychain and authenticate when asked.

Tags: