Ran into the same issue as a total Mac n00b. I struggled with scripting command to get them into System Root so I ended up manually putting the roots in the image and creating a separate "Corporate" keychain for the intermediate CAs and push that as a package.

Works well as long as I don't have to add a new root CA! ;-)

Emil, theres a script in the resource kit call importCert.sh that will help the import.

It's a shame that with configuration profiles we also need to do this.

I just build a configuration profile with iPCU add my trusted certificates exported from Local Administrator account and trusted under it. I then use /usr/bin/profiles -I -F /tmp/mycompany.mobileconfig as a post flight script to install the profile. When these are installed at imaging time they come into the System keychain fully trusted. Thanks for pointing out that other script totally forgot that one.

Anyway of replicating jason steps using the JSS config profiles?

Many thanks Jason, I didn't process what you posted.. but it worked perfectly ty!..

I use a package that runs at imagetime- it puts the root and intermediate certs in a temp location, installs them using the security command and then deletes the temp location.
To get the intermediate cert to be trusted you need to switch the -r switch to trustAsRoot, so for that one the command would be:

/usr/bin/security add-trusted-cert -d -r trustAsRoot -k

Thanks nick.. tbh my idea is to move away from scripting where possible & instead manage my macs via MCX or Config Profiles.

I'd like to deploy a cert and have it trusted. I am new to deploying certs to Macs and not sure how to accomplish what jhbush1973 has suggested. We basically have a cert that needs to be deployed to Macs and the cert needs to be trusted once it is deployed.