Security Impact of Installing macOS Configuration Profile with Certificates

certificatemacosSecurity

I want to install a configuration profile to automatically connect to my university network but along with the two wifi network configurations there are also two certificates, their description is "AC du fournisseur d'identité" (in English: CA of the identity provider), those are certificates "TERENA SSL CA 3" and "DigiCert Assured ID Root CA", both emitted by "DigiCert Assured ID Root CA".

What is the exact impact of this on the security of my system ?

Does it only sign the profile or does it install new trusted certificate emitters for the websites I can consult for instance ? (which would augment the risk of man in the middle attack)

Thank you

Best Answer

The file eduroam-OS_X-UdS.mobileconfig contains five certificates. Three of them can be retrieved by entering openssl pkcs7 -inform DER -print_certs -in ~/Downloads/eduroam-OS_X-UdS.mobileconfig.

At least two of the three belong to the chain of trust to validate code signing of the mobileconfig file.

You can verify this by clicking on verified

enter image description here

enter image description here

The other two ("TERENA SSL CA 3" and "DigiCert Assured ID Root CA") are the chain of trust to validate the identity of your university's RADIUS server. By opening eduroam-OS_X-UdS.mobileconfig with a decent editor you can see and extract them. By saving each of them as a *.cer file you can compare and validate them yourself by opening them with Keychain Access.app: choose one of the two certs and right-click it > evaluate cert > Generic.

enter image description here

If the TERENA cert isn't evaluated successfully it doesn't catch the Digicert root certificate properly. Simply hit the button Go Back and repeat the step.

"DigiCert Assured ID Root CA" is a duplicate of a certificate already existing in your System Roots keychain and "TERENA SSL CA 3" is an intermediate certificate authority. Both are required to ensure the identity of the Radius server. If possible you should choose to "Validate the (RADIUS) Server Certificate" though. I don't know (and haven't been able to find) the DNS-name of your university's RADIUS server.

None of the certificates lower your system security. If everything is properly configured (especially on the server-side) an MITM shouldn't be possible: Security Considerations.

If something is configured improperly and you are a victim of an MITM your l'identifiant E.N.T and le mot de passe E.N.T will be "lost".