Which Certificates Do You Need
It is best practice to manually define the full certificate chain you are expecting the client to connect to. A simple example for most let's encrypt certificates would look like this:
<key>LogRemoteEndpointTLS</key>
<dict>
<key>TLSServerCertificate</key>
<array>
<string>server_name.company.com</string>
<string>Let's Encrypt Authority X3</string>
<string>DST Root CA X3</string>
</array>
</dict>The names of the certificates reference the common name of certificates stored in the SYSTEM keychain. No other keychains are searched when looking for certificates at this time.
How To Get The Certificates - Command Line
Note - This process is only for initial configuration. After validating settings configuration profiles should be used to deploy certificates to endpoints in production.
# Get the full output to a file echo -n | openssl s_client -showcerts -connect HOSTNAME:PORT # Depending on how your collection server is configured an entire certificate chain or only the server certificate will be returned. Each certificate is defined by blocks of text like this -----BEGIN CERTIFICATE----- MIIFazCCBFOgAwIBAgISBIuX8OD2k1mBKORs6oCdBeaFMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ... (truncated for readability) -----END CERTIFICATE----- # Copy each block including the "BEGIN CERTIFICATE and END CERTIFICATE" lines to a plain text file each. # Rename that plain text file to ".pem" and double click to import into the system keychain. # End result should be similar to this for a simple cert chain: $ ls -la certs.d server-leaf-cert.pem intermediate-ca.pem root-ca.pem $ cat server-leaf-cert.pem -----BEGIN CERTIFICATE----- MIIFazCCBFOgAwIBAgISBIuX8OD2k1mBKORs6oCdBeaFMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ... (truncated for readability) -----END CERTIFICATE-----