Menu

Home

asteriskpound

mactls

mactls is a shell-script that automatically requests and installs Computer x509 certificates from a Windows Enterprise CA. It also configures a WiFi SSID with a OSX 10.6 or 10.7 System Profile. Once the CA template, and the variables in the script are configured, the certificate and ssid installation becomes a one-step process - run the script as root, your pki roots will be trusted, a certificate will be issued and installed, and a WiFi network with an EAP-TLS 802.1x System Profile will be created.

The script requires that the Mac be bound to Active Directory, and must be run as root.

Current status is experimental, but tested-operable with OSX 10.6 and 10.7. The current code revision may or may not be broken; please report any difficulties.

current known security deficiencies

  • mactls-bind currently installs the private key without setting the non-extractable flag. The certificate and its private key can be exported by an administrative user on the platform.
  • mactls-bind does not make any effort to verify the identity of the ca server. A third party could impersonate the ca server. This is the main reason why the script does not download the trust anchors/ca certificates from the ca server.
  • mactls-bind does not sanitize input. Input includes (but is not limited to) variables in the script header area, data received from the ca server, active directory configuration files, and output from OpenSSL.
  • if the install directory exists and contains a file with the root certificate file name, it will not be overwritten, but the existing file will be installed as a trusted root.
  • mactls-bind uses a static passphrase from a human-readable variable in the script for its key and mobiconfig files (passphrase no longer in use on mobileconfig files as of v0.84, as mobileconfig no longer contains keys)
  • mactls-bind writes private keys to the filesystem. They are written to a root-owned 700-permission directory, and removed with srm after installation, however no controls against interference from another process are implemented. (private keys are not written to the file system on OS X 10.7+ with mactls-bind v0.84+; keys are still written on OS X 10.6)
  • in event of a failure running the script, a tar file containing logs, certificates, and/or keys may be created.
  • the html parsers are of poor quality and may not work in some circumstances.

security advantages

  • You do not have to enable arbitrary client-supplied SANs. Certificate CNs and SANs are configured solely by the AD template. This on its own may outweigh all the above combined.
  • CA permissions do not need to be granted to the user installing the mac certificate.

getting started

  1. Download the mactls-bind script.
  2. Edit the required variables at the top of the script file. You MUST set the CERT_TEMPLATE, SSID, CA_URL, ROOT_CERT_HEX, and INTER1_CERT_HEX variables for the script to operate. You SHOULD set the mactls variables to something more reflective of your own organization. The cert template on the certificate server MUST be set to have Active Directory generate the subject details.
  3. ROOT_CERT_HEX should contain a base64 formatted certificate of the root certificate you are using, without the header, footer, or linebreaks (ie, just one long line of base64 data, nothing else).
  4. INTER1_CERT_HEX should contain the Active Directory Enterprise CA certificate. If it is the same as the root, then you can remove the INTER1 sections from the code. The same format is required as for the root cert - nothing but base64.
  5. Ensure that the computer account in AD has permission to enroll for the relevant certificate template.
  6. Run the script as root, and answer y to continue when prompted.
  7. Report any failures to the author.

assumptions

mactls-bind currently assumes you are using an eap-tls wifi network with wpa2 encryption. It assumes a 2-tier CA setup (but can be edited to create a single tier). It is tested with OSX 10.6 and 10.7 and Windows 2008R2 Enterprise CA. A CA running on 2008R2 Standard may or may not work (or win2k3). You could try using the 'Computer' template for an Windows Server Standard CA.

Project Admins:

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.