Adding new trusted root certificates to System.keychain
If you’re setting up a certificate authority for your organization, so that you can build and use PKI certificates in house, you need to make sure that your Macs are set to recognize that CA (and the certificates it uses) are trusted. One way to do that is to install new trusted root certificates as needed into /Library/Keychains/System.keychain, so that certificates issued by your CA are recognized and trusted by your Mac.
You can use the security command to install the trusted root into your Mac’s System.keychain (the trusted root .cer file is in this case stored in /private/tmp/certs.)
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer"
add-trusted-cert = Add certificate (in DER or PEM format) from certFile to per-user or local Admin Trust Settings.
-d = Add this certificate to admin certificate store; default is to store it in the user’s keychain.
-r = Specifies the result you want, in this case you want to use trustRoot (see the security man page for the other options.)
-k = Specifies the keychain to use, in this case the specified keychain is /Library/Keychains/System.keychain
You can also build this into an installer package, where you’re installing the certificate you want to use to a specified directory, then setting the following in a postflight script to automatically install the trusted certificate into System.keychain, then remove the certificate from the directory
#!/bin/bash security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer" srm "/private/tmp/certs/certname.cer"
This doesn’t work for me. If I deploy it with trustRoot, I get a certificate in the keychain that’s untrusted. If I use trustAsRoot, I get a certificate with custom trust (blue plus icon), which uses the system’s default trust settings. With trustAsRoot I no longer get certificate warnings e.g. in Safari, but I wonder what I have to do to get a nice green check mark icon…
Per,
Are you adding a root CA? You may have different results with this command if you’re adding a certificate that’s been issued by another CA.
http://wiki.cacert.org/ImportRootCert
That’s probably it, the root CA is offline and locked away in a safe, and the issuing CA is online. I guess it’s serving me its own certificate and not the root’s.
I can get the complete chain as a p7b, but I haven’t figured out how to extract a PEM format root certificate out of that.
openssl pkcs7 -in certnew.p7b -print_certs did the trick, and with a cut’n’paste I can add the certificate with trustRoot. Still just a blue plus icon and not a green checkmark though…
The security man page doesn’t explain the effects of the trustRoot and trustAsRoot.
Can you give a short description of what the two options do and how they differ?
trustAsRoot trusts everything signed by that certificate as if it was a root certificate, even if it’s not, e.g. if it’s just an intermediate certificate. trustRoot trusts the specified root certificate, but you have to point it to a root certificate.
Got it!
Thank you very much.
When I do this I get an error that reads: SecCertificateAddToKeychain: Unknown format in import. I have searched for this error everywhere but there is no definitive answer…. What is your take on this?
Sorry to drag up an old post, but trying to do this via casper, how could I make it run at the user not as root do you know?
Were you able to deploy this via casper. Im not sure this can be run under the root context that a deployment solution would run it under. I am trying to deploy using a systems management tool as well. Any suggestions
I don’t fully understand the ‘-d’ option. The man page mentions “Add to admin cert store; default is user.” But if im specifying the keychain with -k anyway, what does ‘admin cert store’ mean anyway?
Rich, I’m wondering if I can do the same with an ssl cert which is from a proxy server? Of course when I drop the cert into the system.keychain, it changes from a .pem to a .cer. I thought for Casper, I could just package it with composer and use your script to install it into the system.keychain.
Worked for me on Mac OS X El Capitan
Is there a way to automagically set the all of the trust settings to “Always Trust” after importing the cert?
I’m trying to add a CA to the login keychain for getting support for safari browser.I use the below security command
sudo security add-trusted-cert -r trustRoot -k “/Users/maya/Library/Keychains/login.keychain” “/tmp/certs/test.cer”
The cert got added to login keychain successfully, but the the browser is not able to recognize certificate authority, getting the error ‘ERR_cert_authority_invalid’.
Hello
Is it still working correctly? While performing, GUI pop up appears asking for a password to change trust settings. Is it possible to bypass GUI and use only Terminal?
@Luke – i am also facing the same issue, i think they changed something in Big-sur security. this is happening only after Big-sur os. If someone can find the solution that will be great.
tried with sudo /usr/bin/security but no luck
@Luke @Kuldeep
use this
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain -P
So i was running in to the same issue. the script would import the cert but it would not trust it. after a couple days on and off working on this. I finally realized that i was using the wrong -r command. i was using as trustRoot as suggested above. but the cert i was using was not issued by another cert. So i had to change the – r command to trustAsRoot. example below.
Security add-trusted-cert -d -r trustAsRoot -k /Library/keychains/system.keychain