Export certificate from FileVault master keychain and upload it to a domain server

The procedure described in this section is required only if you are using one institutional key for multiple Mac computers. If you are using computer-specific (“personal”) keys, go to Assign an Active Directory user who is authorized to manage an encrypted disk.

After you create a master password, as explained in the previous section, you must export the certificate associated with the master keychain to make it available for upload to the domain controller.

You can export the certificate by using the Mac user interface, or by executing commands in the Terminal application. Instructions are provided for each procedure.

To export the certificate by using the Keychain Access utility

  1. On the Mac computer, open the Keychain Access utility, or double-click the FileVaultMaster.keychain file, which is at the following location:
    /Library/Keychains/FileVaultMaster.keychain
  2. Enter you password if prompted to do so.

  3. In Keychains, select FileVaultMaster.

  4. Select the certificate, FileVault Recovery Key in the right pane and expand it; then right-click and select Export “FileVault Recovery Key”.

  5. Enter the following information for saving the certificate:

    • Save As: Type a name for the certificate, such as “FileVaultMasterCert”.
    • Where: Navigate to a folder in which to save the certificate.

    • File Format: Select Certificate (.cer) from the scroll-down list.

    The certificate is now available for upload to a domain controller.

  6. Copy the certificate to a location on a server that is accessible from the computer that you use to configure Group Policy for the domain.

    Later, when you enable the group policy to turn on FileVault 2 protection (see Enable the Enable FileVault 2 group policy), you must be able to access this certificate from the domain controller on which you are running the Group Policy Editor.

To export the certificate by using Terminal commands

  1. On the Mac computer, open the Terminal utility application.
  2. Run the following command:
    sudo security export -k /PathToKeychain -t certs -f x509 -o /PathToCert

    Note:   The sudo command is required only if FileVaultMaster.keychain is owned by root.

    where:

    • PathToKeychain is the path to FileVaultMaster.keychain; for example:

      /Library/Keychains/FileVaultMaster.keychain
    • PathToCert is the path to the location in which to export the certificate; for example:

      /Documents/FileVaultMaster.cer

      The certificate is now available for upload to a domain controller.

  3. Copy the certificate to a location on a server that is accessible from the computer that you are using to configure Group Policy for the domain.

    Later, when you enable the group policy to turn on FileVault 2 protection (see Enable the Enable FileVault 2 group policy), you must be able to access this certificate from the domain controller on which you are running the Group Policy Editor.