Simian and client certificates

101 views
Skip to first unread message

John Lockwood

unread,
May 1, 2013, 10:09:22 AM5/1/13
to simian-...@googlegroups.com
A Simian setup requires using SSL certificates, no surprise there. (See http://code.google.com/p/simian/wiki/SimianAndCertificates) As per that document it would be perfectly possible to reuse an existing CA even a self-signed root CA initially created either via KeyChain Access or Server.app and then exported to the command-line openssl environment, however where it looks a bit/lot messier is the process of creating and issuing client certificates.

I would like to use Apple's Profile Manager to generate and issue client certificates when a client is 'enrolled' in to Profile Manager, I would for larger clients, like to do the same process using Casper's enrollment and certificate processes. At least in the case of Profile Manager this will result in certificates being installed in to the client Mac's keychain. Therefore it would be desirable for Simian to be able to work with existing client certificates issued either via Profile Manager or Caspar. Is this possible? Is there a means of automating the conversion/copying of certificates to Simian's locations if needed get round this?

Allister Banks

unread,
May 1, 2013, 3:11:44 PM5/1/13
to simian-...@googlegroups.com
Interesting idea, as you said Simian expects the file system layout Puppet uses, not a database like the security framework/Keychain. You'd have to still script the export someplace Simian can then expect to pick up on it, I'd think it unlikely integration with keychain is a valuable feature Simian wants to support. Alternately, any management framework that can be scripted to create specific payloads for clients can be utilized instead of a Keychain-based cert, I did a proof of concept with DeployStudio. ProfileManager leverages certs of course, but Casper can almost certainly be extended to add that functionality. PM only knows about things like login/logout scripts that old MCX had, and is probably a more brittle process. My several cents.

Allister   


On Wed, May 1, 2013 at 10:09 AM, John Lockwood <jeloc...@gmail.com> wrote:
A Simian setup requires using SSL certificates, no surprise there. (See http://code.google.com/p/simian/wiki/SimianAndCertificates) As per that document it would be perfectly possible to reuse an existing CA even a self-signed root CA initially created either via KeyChain Access or Server.app and then exported to the command-line openssl environment, however where it looks a bit/lot messier is the process of creating and issuing client certificates.

I would like to use Apple's Profile Manager to generate and issue client certificates when a client is 'enrolled' in to Profile Manager, I would for larger clients, like to do the same process using Casper's enrollment and certificate processes. At least in the case of Profile Manager this will result in certificates being installed in to the client Mac's keychain. Therefore it would be desirable for Simian to be able to work with existing client certificates issued either via Profile Manager or Caspar. Is this possible? Is there a means of automating the conversion/copying of certificates to Simian's locations if needed get round this?

--
You received this message because you are subscribed to the Google Groups "Simian Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simian-discus...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

John Randolph

unread,
May 1, 2013, 3:33:50 PM5/1/13
to simian-...@googlegroups.com
On Wed, May 1, 2013 at 3:11 PM, Allister Banks <a...@aru-b.com> wrote:
> Interesting idea, as you said Simian expects the file system layout Puppet
> uses, not a database like the security framework/Keychain. You'd have to
> still script the export someplace Simian can then expect to pick up on it,
> I'd think it unlikely integration with keychain is a valuable feature Simian
> wants to support. Alternately, any management framework that can be scripted
> to create specific payloads for clients can be utilized instead of a
> Keychain-based cert, I did a proof of concept with DeployStudio.
> ProfileManager leverages certs of course, but Casper can almost certainly be
> extended to add that functionality. PM only knows about things like
> login/logout scripts that old MCX had, and is probably a more brittle
> process. My several cents.
>
> Allister

the Keychain api won't let you copy the private keys out of the
keychain, as far as I know, but maybe it will with a special
permissions bit or something.

Simian uses python ssl and thus openssl, not Apple crypto apis, so we
can't use the credentials in the keychain by reference (the preferred
apple method)
--
John Randolph -- Google New York
Reply all
Reply to author
Forward
0 new messages