Skip to main content
Question

Verify the Existence of a System.keychain Certificate?

  • May 26, 2016
  • 6 replies
  • 101 views
dstranathan
Forum|alt.badge.img+19

I'm pondering the idea of leveraging a Extension Attribute that could theorietically report/verify the existence of a specific root CA certificate in the OS X System Keychain. Based on the results it yields, I could add/delete certificate(s) as needed via scripts/policies, etc.

Has anyone invented this wheel yet?

    6 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • May 26, 2016

    Not something exactly like what you described, but I have an EA written a long while back that, among other things, looks for the computer's AD keychain entry in the System.keychain and verifies its valid (as part of a larger "is this Mac still joined to AD?" type EA script)

    Checking for certs in the system.keychain is definitely doable with the security command, so yeah, you can do something like that for sure.

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • May 26, 2016

    Just to make my post a little more useful, here's a basic EA that should work to do what you're looking for. Just edit the CERTNAME variable to the name of the Root CA or other cert you're looking for. It will create either a "Yes" or "No" EA result.

    #!/bin/bash

CERTNAME="<Put Root CA Name here>"

## Default result. Gets changed to "Yes" if the Root CA is found
result="No"

while read cert_entry; do
    if [ "$cert_entry" == "$CERTNAME" ]; then
        result="Yes"
    fi
done < <(security find-certificate -a /Library/Keychains/System.keychain | awk -F'"' '/alis/{print $4}')

echo "<result>$result</result>"
    C
    S
    dstranathan
    Forum|alt.badge.img+19
    • dstranathan
    • Author
    • Valued Contributor
    • May 26, 2016

    That's exactly was I was imagining. Thank you sir.

    D
    Forum|alt.badge.img+3
    • Dhuhindhan
    • New Contributor
    • April 11, 2023

    Hi @mm2270 i am trying to find the certificate called ISRG Root X1 from System Roots on the keychain but the result is not coming correctly I guess the script is not checking the attributes correctly, Looking for help.

    #!/bin/bash

    CERTNAME="<ISRG Root X1>"

    ## Default result. Gets changed to "Yes" if the ISRG Root X1 is found
    result="No"

    while read cert_entry; do
    if [ "$cert_entry" == "$CERTNAME" ]; then
    result="Yes"
    fi
    done < <(security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain | grep "alis" | sed 's/"//g' | sed 's/ alis<blob>=//g')

    echo "<result>$result</result>"

    This is the script I am using on the EA

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • April 11, 2023

    Hi @mm2270 i am trying to find the certificate called ISRG Root X1 from System Roots on the keychain but the result is not coming correctly I guess the script is not checking the attributes correctly, Looking for help.

    #!/bin/bash

    CERTNAME="<ISRG Root X1>"

    ## Default result. Gets changed to "Yes" if the ISRG Root X1 is found
    result="No"

    while read cert_entry; do
    if [ "$cert_entry" == "$CERTNAME" ]; then
    result="Yes"
    fi
    done < <(security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain | grep "alis" | sed 's/"//g' | sed 's/ alis<blob>=//g')

    echo "<result>$result</result>"

    This is the script I am using on the EA


    @Dhuhindhan Are you actually entering the certificate name as <ISRG Root X1> in the variable? Because the < and > characters are not supposed to be included. I just put that there in my example script to indicate it was a variable. Sorry if that wasn't clear. Change it to CERTNAME="ISRG Root X1" and try again.

    Second thing is, the security find-certificate line can be simplified to get a cleaner list. Change that out to this:

    security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain | /usr/bin/awk -F'"' '/alis/{print $4}'

    Also verify that the name of the certificate actually shows up that way when viewing it in the command line. It would be whatever shows up in the security command output above. Check to make sure the certificate shows up with the name you're using in the variable.

    dlondon
    1
    Forum|alt.badge.img
    • 11thdoctor
    • New Contributor
    • April 24, 2023

    @Dhuhindhan Are you actually entering the certificate name as <ISRG Root X1> in the variable? Because the < and > characters are not supposed to be included. I just put that there in my example script to indicate it was a variable. Sorry if that wasn't clear. Change it to CERTNAME="ISRG Root X1" and try again.

    Second thing is, the security find-certificate line can be simplified to get a cleaner list. Change that out to this:

    security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain | /usr/bin/awk -F'"' '/alis/{print $4}'

    Also verify that the name of the certificate actually shows up that way when viewing it in the command line. It would be whatever shows up in the security command output above. Check to make sure the certificate shows up with the name you're using in the variable.


    I was actually looking at doing this too similar as above and though I have the cert it shows No

    Terms & ConditionsCookie settingsAccessibility statement