Skip to main content
Question

Removing Digitnotar certificates

  • September 8, 2011
  • 5 replies
  • 10 views
talkingmoose
Forum|alt.badge.img+36

If you're not familiar with the Diginotar debacle, this is a Certificate
Authority whose servers were compromised and had fraudulent SSL
certificates issued. If your users hit any of the sites with these
fraudulent certificates then they are subject to spoofed content, phishing
attacks or man-in-the-middle attacks. Microsoft is actually releasing an
out-of-cycle patch to address this issue.

Unfortunately, this exposed a problem with Mac OS X's ability to warn
users who decided to "untrust" these root certificates. It doesn't work.
So far, Apple hasn't released an update to correct this. Mac users are
advised to remove the certificate completely.

More information:

"Microsoft Security Advisory (2607712)"
<http://www.microsoft.com/technet/security/advisory/2607712.mspx>

"Safari users still susceptible to attacks using fake DigiNotar certs"
<http://arstechnica.com/apple/news/2011/09/safari-users-still-susceptible-t
o-attacks-using-fake-diginotar-certs.ars?utm_source=rss&utm_medium=rss&utm_
campaign=rss>

"Removing DigiNotar Trust in OS X"
<http://krypted.com/mac-os-x/7068/>

Our Corp IT folks passed down a mandate to remove the Diginotar
certificates from our machines and so I devised the following method to
remove them from our Macs and make record of their removal. Hope folks
find it useful.

  1. Create an extension attribute populated by the following script:

#!/bin/sh

CONTENTS=$(security find-certificate -e info at diginotar.nl
"/System/Library/Keychains/SystemRootCertificates.keychain")

if ( test "$CONTENTS" ) then RESULT="Certificate installed."
else RESULT="Certificate not installed."
fi

echo "<result>$RESULT</result>"

  1. Create a smart group to list Macs found by the extension attribute with
    "Certificate installed." I have this group set to email me when anything
    changes.

  2. Create an ongoing policy triggered by "any" and scoped to the smart
    group that will run the following command:

security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C
"/System/Library/Keychains/SystemRootCertificates.keychain"

and to inventory the machine.

To kickstart the process I'm using Casper Remote and ARD to quickly
inventory my machines and get whether the Diginotar certificate is
installed. The policy will take over from there and remove it.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

    5 replies

    ImAMacGuy
    Forum|alt.badge.img+23
    • ImAMacGuy
    • Esteemed Contributor
    • September 9, 2011

    Thank you for this!

    I do have a small problem though - when the removal runs against the smart group machines it returns that it can't remove the certificate.
    And when I save the following as a command it removes the "s and replaced with &quot, so I removed the "s from it...

    security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C "/System/Library/Keychains/SystemRootCertificates.keychain"

    John Wojda
    Lead System Engineer, DEI & Mobility
    3333 Beverly Rd.  B2-338B
    Hoffman Estates, IL 60179
    Phone:  (847)286-7855
    Page:  (224)532.3447
    Team Lead DEI: Matt Beiriger
    Team Lead Mobility: Chris Sta Ana
                       Mac Tip/Tricks/Self Service & Support

    "Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan"

    talkingmoose
    Forum|alt.badge.img+36
    • talkingmoose
    • Author
    • Community Manager
    • September 9, 2011
    On 9/9/11 12:08 PM, "Wojda, John" <John.Wojda at searshc.com> wrote: Thank you for this!

    Glad folks are finding this useful! :-)

    I do have a small problem though - when the removal runs against the smart group machines it returns that it can't remove the certificate.

    Not sure what's happening. If you manually run the below command in the
    Terminal does that work?

    And when I save the following as a command it removes the "s and replaced with &quot, so I removed the "s from it... security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C "/System/Library/Keychains/SystemRootCertificates.keychain"

    Removing quotes should be fine. This path has no spaces or special
    characters to escape.

    --

    William Smith
    Technical Analyst
    Merrill Communications LLC
    (651) 632-1492

    golbiga
    Forum|alt.badge.img+21
    • golbiga
    • Employee
    • September 9, 2011

    Apple also just released the security update that removes the bad cert.

    Allen

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • September 9, 2011

    Looks like apple have released an update.

    http://support.apple.com/kb/HT4920

    Regards,

    Ben.

    talkingmoose
    Forum|alt.badge.img+36
    • talkingmoose
    • Author
    • Community Manager
    • September 9, 2011

    Just saw that. A much better solution.
    On 9/9/11 12:39 PM, "Ben Toms" <bentoms at btopenworld.com> wrote:

    --

    William Smith
    Technical Analyst
    Merrill Communications LLC
    (651) 632-1492

    Terms & ConditionsCookie settingsAccessibility statement