Generating a PKCS12 (.p12) Keystore File from a Google Cloud LDAP Client

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Google's Secure LDAP service generates a certificate that serves as the primary authentication mechanism for the LDAP clients to authenticate with Secure LDAP.

To configure Jamf Pro to authenticate with client certificates, they must be installed in the application's keystore. This article explains how to generate the PKCS12 (.p12) keystore file and upload it to Jamf Pro when integrating with Google Cloud Identity Provider.

This certificate is used to allow Jamf Connect to sync a user's Google and local password on a Mac computer.

Requirements

  • A Google Identity subscription that includes Google's LDAP service so you can download a certificate.

    For a list of supported Google Identity subscriptions, Supported Cloud Identity Providers.

    For more information about Google's Secure LDAP service, see About the Secure LDAP service on the Google Workspace Admin Help website and Add and connect new LDAP clients on Google's Cloud Identity Help website.

  • OpenSSL must be installed in your local environment to convert the certificate and key to .p12 keystore format.
    Note:

    OpenSSL is installed by default on macOS. Computers using an operating system other than macOS must install OpenSSL.

  • This procedure assumes you are using the default installation of OpenSSL included with the latest version of macOS.

  1. Log in to your Google Admin console.
  2. Click Apps and then LDAP.
  3. Choose the LDAP client you want to integrate with Jamf Pro.

    The service switch status needs to be "On" for the chosen LDAP client.

  4. Click Authentication.
  5. Download the certificate file that you will use when integrating with Jamf Pro.
  6. Extract the downloaded archive. The output should contain the certificate (.crt) file and the private key (.key) file.
  7. To generate the .p12 keystore file, execute the following command:
    openssl pkcs12 -export -legacy -out /path/to/generated/keystore.p12 -inkey /path/to/saved/privatekey.key -in /path/to/saved/certificate.crt
  8. Create a password when prompted.

    This is the password you'll use when accessing the keystore file. Store this password in a secure location.

You can now upload the generated .p12 keystore file to Jamf Pro or locally add it to a computer's system keychain.
Note: Generating a separate keystore file for use with Jamf Pro each time you download the certificate from Google is recommended.