Knowledge Base

Description

This article details how to resolve issues experienced by using the DigiCert PKI Client to access the PKI Platform 8 administration portal called PKI Manager, using macOS Monterey machines running on either M1 or Intel-based chips.

Note: For the best results, please use the Chrome Browser for this issue resolution

The following 3 issues have been observed, for which we detail their corresponding solutions:

• Issue 1: PKI Client UI does not show up 
  - Solution 1
• Issue 2: Enrolment and pick-up of Administrator certificates on Monterey
  - Solution 2
• Issue 3: Installing PKI Client
  - Solution 3

PKI Client UI does not show up

For PKI Platform 8 administrators using a macOS Monterey machine, the PKI Client UI does not show up, and as such, Users are not able to view the certificate details stored on the PKI Client vToken.

Solution 1

The PKI Client UI issue for Monterey will not be fixed. In order to view certificate details stored on the PKI Client vToken, launch the Keychain Access application on your Monterey machine. Click on the Symantec keychain located on the left vertical navigation bar. You will be prompted to enter your PKI Client PIN. Once the PIN is verified successfully, you can view all the certificates (and their details) stored on the PKI Client vToken

Enrolment and pick-up of Administrator certificates on Monterey

Owing to the issue that PKI Client’s UI is not showing up on Monterey, how do you go about enrolling for an Administrator certificate for the first time, after its expiration, or before expiring?

Solution 2

2.1 Enrolling and picking up the Administrator certificate for the first time

There is no issue regarding the enrolment and pick-up flow for Administrator certificates on Monterey, it is working as expected. Follow the below steps to download/install your Administrator certificate:

Step One:

After receiving an email with details on how to pick up the Administrator certificate and visiting the pick-up URL, and successfully validating the Administrator details, you will land on the Install certificate page and will be requested to enter your PKI Client PIN for authentication:

Step Two:

Upon successful authentication, the enrolment and pick-up will be successful as shown below:

Step three:

You can navigate to the “PKI Manager” administration portal on a new browser session (preferably after restarting your Mac machine) and the newly picked-up Administrator certificate would be available to strongly authenticate onto the PKI Manager portal. You can then select the certificate, authenticate with your PKI Client PIN, and log in to the PKI Manager portal successfully.
 

Step four:

If your browser does not populate your Admin certificate for the Client Authentication operation on PKI Manager portal, you can add the CA chain manually to the Keychain Access application on your Mac machine, under “Login” keychain access. 
 

Step Five: 

If you do not have the Symantec Keychain on your Mac under “Custom Keychains” you will need to create one by doing the following steps:

1. Login to the keychain via the keychain application.
2. Right-click and select 'New keychain' > create and name it Symantec.
   
   
   
   
3. You will have to create a password. This becomes the Keychain password.
   
   
4. Copy the following two certificates into the newly created keychain:
   
   - DigiCert PKI Platform Administrator Certificate
   - Symantec Administrator CA Recertified Certificate

Step Six:

You can now complete your enrollment for the PKI 8 Admin certificate.

Note: You will be prompted during the enrollment to create a PKI Client password, this is different from the MAC Key Chain password.

2.2 Enrolling for a new Administrator certificate after its expiration

Step One:

Check the Administrator certificate within your Keychain and ensure it is inside the renewal window - typically 30 days before expiration.

Step Two:

Reach out to your DigiCert representative (Client Manager or Support team) requesting the following:

1. Revoke your existing valid Administrator certificate so that a new enrollment can be created
2. Create a new enrollment for the Administrator certificate using your same Seat Id

Step Three:

Once these 2 steps are done, you would receive an email with the pick-up URL and you can follow the steps in Solution-2.1 above to install your certificate and access the PKI Manager portal without issues.

Installing PKI Client

There are two possible ways PKI Client can come into existence on a Monterey machine:

1. You are setting up a new machine
2. You are upgrading from an older MAC OS version

Solution 3

For the installation of the PKI Client software, there are two options:

1. Fresh installation of PKI Client on Monterey works without any issues:
   
   
2. For Mac machines that are upgraded to Monterey from an older macOS version (e.g. Big Sur), the vToken will be preserved and will work on Monterey (even if it is restored from a Time Machine backup), provided the below remains unchanged:
   
   - User credentials
   - Domain (If connected)
   - Machine (Hardware) details

If you encounter any issues or have any questions please contact your DigiCert Support Team