Home > Bash scripting, Mac administration, Mac OS X > Adding new trusted root certificates to System.keychain

Adding new trusted root certificates to System.keychain

If you’re setting up a certificate authority for your organization, so that you can build and use PKI certificates in house, you need to make sure that your Macs are set to recognize that CA (and the certificates it uses) are trusted. One way to do that is to install new trusted root certificates as needed into /Library/Keychains/System.keychain, so that certificates issued by your CA are recognized and trusted by your Mac.

You can use the security command to install the trusted root into your Mac’s System.keychain (the trusted root .cer file is in this case stored in /private/tmp/certs.)

sudo security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” “/private/tmp/certs/certname.cer”

add-trusted-cert = Add certificate (in DER or PEM format) from certFile to per-user or local Admin Trust Settings.

-d = Add this certificate to admin certificate store; default is to store it in the user’s keychain.

-r = Specifies the result you want, in this case you want to use trustRoot (see the security man page for the other options.)

-k = Specifies the keychain to use, in this case the specified keychain is /Library/Keychains/System.keychain


You can also build this into an installer package, where you’re installing the certificate you want to use to a specified directory, then setting the following in a postflight script to automatically install the trusted certificate into System.keychain, then remove the certificate from the directory


#!/bin/bash
security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer"
srm "/private/tmp/certs/certname.cer"

PDF with proper formatting available here.

  1. March 14, 2011 at 4:35 pm

    This doesn’t work for me. If I deploy it with trustRoot, I get a certificate in the keychain that’s untrusted. If I use trustAsRoot, I get a certificate with custom trust (blue plus icon), which uses the system’s default trust settings. With trustAsRoot I no longer get certificate warnings e.g. in Safari, but I wonder what I have to do to get a nice green check mark icon…

  2. March 14, 2011 at 5:39 pm

    Per,

    Are you adding a root CA? You may have different results with this command if you’re adding a certificate that’s been issued by another CA.

    http://wiki.cacert.org/ImportRootCert

  3. perolofssongu
    March 14, 2011 at 7:10 pm

    That’s probably it, the root CA is offline and locked away in a safe, and the issuing CA is online. I guess it’s serving me its own certificate and not the root’s.

    I can get the complete chain as a p7b, but I haven’t figured out how to extract a PEM format root certificate out of that.

    • perolofssongu
      March 16, 2011 at 4:53 pm

      openssl pkcs7 -in certnew.p7b -print_certs did the trick, and with a cut’n’paste I can add the certificate with trustRoot. Still just a blue plus icon and not a green checkmark though…

  4. September 23, 2013 at 2:05 am

    The security man page doesn’t explain the effects of the trustRoot and trustAsRoot.
    Can you give a short description of what the two options do and how they differ?

    • perolofssongu
      September 23, 2013 at 7:13 am

      trustAsRoot trusts everything signed by that certificate as if it was a root certificate, even if it’s not, e.g. if it’s just an intermediate certificate. trustRoot trusts the specified root certificate, but you have to point it to a root certificate.

  5. February 11, 2014 at 12:07 am

    When I do this I get an error that reads: SecCertificateAddToKeychain: Unknown format in import. I have searched for this error everywhere but there is no definitive answer…. What is your take on this?

  6. February 19, 2014 at 3:31 pm

    Sorry to drag up an old post, but trying to do this via casper, how could I make it run at the user not as root do you know?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 164 other followers

%d bloggers like this: