× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Re: Automating PKI certificates for 802.1x authentication in Mac systems

Automating PKI certificates for 802.1x authentication in Mac systems

By BLau on ‎12-05-2014 01:15 PM - last edited ‎12-21-2015 01:59 AM

In addition to all the AD integration and group policy goodies that Centrify User Suite for Mac offers, one of the additional benefits is the ability to auto-enroll PKI certificates from a Certification Authority on the domain


  • The same user / computer authentication certificates that are pushed out to Windows machines, can also be used with Mac systems for certificate-based authentication into supported environments such as 802.1x wifi or ethernet networks (Provided the certificate templates are configured properly).
  • Certificate management and renewal can all be handled from the same CAs and GPs as you would with regular Windows systems.

Cool eh!


So, how do we set such wizardry up? 
If you're running at least OS X 10.7 and joined with a license-enabled Centrify agent (minimum version 5.1.3), then it's as simple as configuring the requisite certificate template and pushing out the appropriate group policies. 
Note: This article assumes that you already have an 802.1x environment / suitable PKI infrastructure configured and working on the Windows side. 


  1. Go to your CA server and duplicate either a Workstation Authentication certificate or a User Authentication certificate (depending on the scope of authentication you're looking to use).

    Duplicating a Workstation Authentication Certificate

    Duplicating a User Certificate

  2. Give it a meaningful name and then configure the following properties for the corresponding cert type:
    • For Workstation Authentication Certs
      • Extensions tab:
        • Server Authentication
        • Client Authentication
      • Subject Name tab:
        • "Build this from AD information"
        • Subject name format: Common name
      • Security tab:
        • Allow Enroll & Autoenroll permissions for the appropriate AD computer groups (e.g. Domain Computers)
    • Certificate properties for Computer Certificate Tempate

    • For User Authentication Certs
      • Security tab:
        • Allow Enroll & Autoenroll permissions for the appropriate AD user groups (e.g. Domain Users)
      • (Optional) Subject Name tab:
        • Build from Active Directory information
        • Uncheck "Include email in subject name" and "Email name" checkboxes (Doing this removes the requirement for the AD user to need an email address).
    • Certificate properties for User Certificate Tempate

  3. Go into the Certification Authority section > [domain] > Right-click on Certificate Template > New > "Certificate Template to Issue" > Scroll to the newly created template and add it to the list.

    Issuing the Cert Template

  4. Enable the Group Policy for certificate autoenrollment:
    • Windows 2003
    • Computer Configuration / Windows Settings / Security Settings / Public Key Policies / "Autoenrollment Settings" 
    • Windows 2008
    • Computer Configuration / Windows Settings / Security Settings / Public Key Policies / "Certificate Services Client - Auto-Enrollment Settings" 
    • Auto-Enrollment GP options

       (Configure the renew and update options as needed.)
  5. Once the GPOs are saved and deployed, go to the Mac and pull down the certs immediately by opening the Terminal and running: 
    • sudo adflush
    • adgpupdate
  6. When the operation completes, look in Keychain Access and you should now see the certificates present in the appropriate location (depending on whether a user or workstation cert was pushed).

    User Certificate in Keychain Access
    Example of a User Certificate in Keychain Access

    • You can also go to the CA server and look in the Issued Certificates folder of the Certification Authority (certsrv.msc).



Now that the certificates are in the Keychain, they can be selected from whichever apps support certificate-based authentication.


If you have an existing 802.1x Ethernet or Wi-Fi environment, then the automation can be extended further with the use of the Centrify for Mac 802.1x Group Policies:


  • Computer Configuration / Centrify Settings / Mac OS X Settings / 802.1x Settings /


The GPs in this folder allows the System Administrator to pre-configure which certificates the target Mac systems will use for authentication into 802.1x networks. Once set up, the settings are deployed to the systems as configuration profiles which can be seen in the System Preferences > Profiles options.


Additional Reading:


Licensed customers of Centrify can also access the related KBs found in our Support Portal KB archive:

on ‎02-06-2017 09:03 AM

We have had trouble using this method with certificate Permissions. By default the certificate is added with "Confirm before allowing access" we have to go in and change the permissions on the certificate to allow its use by all for wireless to work.


This is under the access control settings of the Private Key. What process do you guys use to automate this?

By Centrify Advisor III
on ‎02-06-2017 01:38 PM

Hello @jerdill


Thank you for posting again in the Centrify Community. It looks like this ties into New Feature request listed here. I see that you also have a Support case opened, so we will continue the discussion there. 


Any other readers can follow the link to monitor the Feature Request as well. 


Thank you!!


I hope your day is going great!


Ryan V. 

Showing results for 
Search instead for 
Do you mean 

Community Control Panel