Home > Bash scripting, Mac administration, Mac OS X > Adding new trusted root certificates to System.keychain

Adding new trusted root certificates to System.keychain

March 13, 2011 Leave a comment Go to comments

If you’re setting up a certificate authority for your organization, so that you can build and use PKI certificates in house, you need to make sure that your Macs are set to recognize that CA (and the certificates it uses) are trusted. One way to do that is to install new trusted root certificates as needed into /Library/Keychains/System.keychain, so that certificates issued by your CA are recognized and trusted by your Mac.

You can use the security command to install the trusted root into your Mac’s System.keychain (the trusted root .cer file is in this case stored in /private/tmp/certs.)

sudo security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” “/private/tmp/certs/certname.cer”

add-trusted-cert = Add certificate (in DER or PEM format) from certFile to per-user or local Admin Trust Settings.

-d = Add this certificate to admin certificate store; default is to store it in the user’s keychain.

-r = Specifies the result you want, in this case you want to use trustRoot (see the security man page for the other options.)

-k = Specifies the keychain to use, in this case the specified keychain is /Library/Keychains/System.keychain


You can also build this into an installer package, where you’re installing the certificate you want to use to a specified directory, then setting the following in a postflight script to automatically install the trusted certificate into System.keychain, then remove the certificate from the directory


#!/bin/bash
security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer"
srm "/private/tmp/certs/certname.cer"

PDF with proper formatting available here.

Categories: Bash scripting, Mac administration, Mac OS X
  1. Per Olofsson
    March 14, 2011 at 4:35 pm | #1
    Reply | Quote

    This doesn’t work for me. If I deploy it with trustRoot, I get a certificate in the keychain that’s untrusted. If I use trustAsRoot, I get a certificate with custom trust (blue plus icon), which uses the system’s default trust settings. With trustAsRoot I no longer get certificate warnings e.g. in Safari, but I wonder what I have to do to get a nice green check mark icon…

  2. rtrouton
    March 14, 2011 at 5:39 pm | #2
    Reply | Quote

    Per,

    Are you adding a root CA? You may have different results with this command if you’re adding a certificate that’s been issued by another CA.

    http://wiki.cacert.org/ImportRootCert

  3. perolofssongu
    March 14, 2011 at 7:10 pm | #3
    Reply | Quote

    That’s probably it, the root CA is offline and locked away in a safe, and the issuing CA is online. I guess it’s serving me its own certificate and not the root’s.

    I can get the complete chain as a p7b, but I haven’t figured out how to extract a PEM format root certificate out of that.

    • perolofssongu
      March 16, 2011 at 4:53 pm | #4
      Reply | Quote

      openssl pkcs7 -in certnew.p7b -print_certs did the trick, and with a cut’n'paste I can add the certificate with trustRoot. Still just a blue plus icon and not a green checkmark though…

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 73 other followers

%d bloggers like this: