Environment : Clearpass 6.2.3 with Mac OS X 10.9
Symptoms : While onboarding Mac OS X 10.9 device, the profile installation completes succesfully. However the profile shows up as unverified eventhough customer has already installed the root certificate of the onboard CA.
Checking the profile in Mac would tell us that the Onboard root CA is trusted and the Onboard Signing CA is valid, however the profile itself is not valid.
Checking the keychain in Mac would tell us that the Onboard root CA is trusted.
On Mac OS X 10.8, the profile would show as valid and verified.
This happens when the Onboard CA certificate is generated using MD5 and the profile signing certificate is also using MD5 as signing algorithm. Mac OS X 10.9 has dropped support for MD5 as signing algorithm except in the case for root CAs. More details can be found from apple.
The resolution here is to generate a new CA certificate with the signing algorithm as SHA1 / SHA 2 (SHA 2 recommended). In this case the profile signing certificate will also use SHA1/ SHA2 which is supported by Mac OS X 10.9 and the profile now would show up as verified.