Fermilab CA certificates - How to install certificates on a non-Fermi managed Mac
Intended for:
Users of non-Fermi owned/managed Macs who use applications, such as VPN, that requires Fermilab CA certificates.
Scenario/Use case:
Users may need to use an application, such as Cisco VPN, which requires Fermilab CA certificates on their non-Fermi owned and managed Mac. The following steps describe where to download the certificates, which certificates to download, and how to install the certificates.
Instructions:
You will need to install two certificates: Fermilab Root CA certificate and FERMI CA certificate (also known as the FERMI Sub CA 01 certificate).
Step 1: Installing the Fermilab Root CA certificate
- In your browser, go to https://authentication.fnal.gov/certs.
- Under FERMI Certificate Authority section, locate the line for "Root CA" and click DER link to download the certificate.
- In your Mac Downloads folder, double-click the file Fermilab_Root_CA.cer. The new certificate should be copied in the login keychain under the Certificates category.
- Copy the root certificate in the System keychain (required to make CA certificate trusted by all system processes and all users).
- In the keychain tool, click Fermilab Root Certificate in the login keychain and then right-click and select "Copy" Fermilab Root CA.
- Go to the System keychain and paste the new certificate.
- Right-click on the certificate and select the "Get Info" to open the window with the certificate details.
- Extend Trust and select Always Trust in the "When using this certificate" section.
Step 2: Installing the FERMI CA certificate
- In your browser, go to https://authentication.fnal.gov/certs.
- Under FERMI Certificate Authority section, locate the line for "FERMI CA certificate" and click DER link to download the certificate.
- In your Mac Downloads folder, double-click the file FERMI_Sub_CA_01.cer. The new certificate should be copied in the login keychain under the Certificates category.
- Copy the FERMI CA certificate in the System keychain (required to make CA certificate trusted by all system processes and all users).
- In the keychain tool, click FERMI Sub CA 01 in the login keychain, then right-click and select "Copy" FERMI Sub CA 01.
- Go to the System keychain and paste the new certificate.
- Right-click on the certificate and select "Get Info" to open the window with the certificate details.
- Extend Trust and select Always Trust in the "When using this certificate" section.
Your certificates should now be installed.
See Also:
- KB0012916 - Fermilab CA certificates: What they are and why you need them
- KB0012906 - Fermilab CA certificates: How to install certificates on a non-Fermi managed Windows PC
- KB0012905 - Fermilab CA certificates: How to install certificates on mobile devices (iOS and Android)
- KB0012914 - Fermilab CA certificates: How to install certificates on Linux