Skip to main content
All CollectionsTroubleshooting and How-ToHow-To Articles
How to use a custom proxy certificate with your Mac deployment
How to use a custom proxy certificate with your Mac deployment
A
Written by Arick Disilva
Updated over a month ago

This feature is currently available for On-Premise customers to enable. Cloud customers may contact support to enable it in their instance.

By default, the Mac Agent comes with its own proxy certificate named “Internet Widgits“.

However, you can use your own custom certificate and assign it whatever Common Name (CN) you want. To do so, follow the instructions below:

Endpoint Configuration

Step 1. Enable Network Monitoring for the Agent

Run the following command in the Terminal.

Stealth Agent

sudo "/usr/local/teramind/agent/bin/System Monitoring.app/Contents/MacOS/System Monitoring" network_permissions;sleep 1;sudo killall "System Monitoring"

Revealed Agent

sudo "/usr/local/teramind/agent/bin/Teramind Agent.app/Contents/MacOS/Teramind Agent" network_permissions;sleep 1;killall "Teramind Agent"

Step 2: Create a Certificate

Run the following commands in the Terminal:

openssl genrsa -out key.pem 2048
openssl req -x509 -new -nodes -key key.pem -sha256 -days 1826 -out mycert.crt

Step 3: Add the Certificate to the macOS as Trusted

Run the following command in the Terminal:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <path_to_the_certificate>

Explanation:

Option

Description

-d

Adds the certificate as trusted only for this device (by default, if not specified, it’s added as trusted for all users).

-r trustRoot

Designates the certificate as a root certificate.

-k /Library/Keychains/System.keychain

Specifies the keychain where the certificate will be added (in this case, the system keychain).

<path_to_the_certificate>

Replace this with the path to your certificate. For example, /User/John/Documents/mycert.crt

Alternative Method

1. Open Keychain Access.

2. Open the certificate.

3. Go to the Trust tab and select the Always Trust option from the When using the certificate field:

Notes for MDM Deployments

If you are using an MDM (Mobile Device Management) system for the deployment, it’s necessary to ensure that the certificate is included in the MDM and marked as trusted. This is important for the successful installation and operation of the application or service on devices managed by MDM.

You will need to follow these steps for an MDM deployment:

  1. Adding the certificate to MDM: The certificate should be uploaded to the MDM system. This is usually done in the security settings or certificate configuration section within the MDM interface.

  2. Marking the certificate as trusted: After adding the certificate, its status must be set as trusted. In MDM, this is often done through the trusted certificates or security policies setting. This configuration signals to the devices that the certificate is safe, preventing the blocking of features that depend on it.

  3. Verifying the certificate on devices: After deployment, the MDM should automatically distribute the certificate to all connected devices. It’s important to check on each device that the certificate is installed and marked as trusted to avoid security or compatibility issues.

Server Configuration

Step 1: Update the kv_store Table

Add the following fields in the kv_store table:

Field

Value

ca_root.pkey_pass

Password (leave empty if not needed).

ca_root.pkey_data

Add the plaintext from the key.pem file you created in Step 2 above.

ca_root.cert_data

Add the plaintext from the mycert.crt file you created in Step 2 above.

Step 2: Restart/Reboot the Server

Run the following command to restart the server:

sudo systemctl restart teramind

Or, you can execute a full reboot:

sudo reboot

Step 3: Verify the Certificate Activation

Open a web page and check the certificate to ensure it's being used:

Did this answer your question?