Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
What does this solve?
In previous iterations of the Radius Cert Deployment scripts, if a cert type of
EmailSAN
orEmailDN
was selected and distributed to a macOS system, the step to assign a network SSID to the installed certificate would fail. The deployment script was erroneously attempting to identify a certificate by it's email identifier which is not a valid option for the Security Set-Identity-Preference command. This would result in the command results throwing an exit code 2, and an "illegal option --e" error:To address this, instead of identifying commands by their common name, or email (depending on the cert type), now all installed certificates will be identified by their SHA1 hash. When the macOS command attempts to assign a network SSID to the installed certificate, the certificate will be explicitly identified by its SHA1 hash.
Is there anything particularly tricky?
How should this be tested?
Validate the previous behavior, generate a set of user certs of type
EmailSAN
orEmailDN
and deploy to a macOS host. The commands should fail on theset-identity-preference
step.Pull the changes from this branch into your local project and attempt to distribute a set of
EmailSAN
orEmailDN
certs again. The certificate should be installed correctly and not throw any errors.Screenshots