Posted on 02-23-2012 05:01 PM
I revised the script importCACert.sh from the JAMF Resource Kit in order to build a package that installed both the Root and Intermediate Certs, and always trusted the root.
```
caCertLocation="/Library/Application Support/JAMF/YourRoot.cer" #Example: "/Library/Application Support/JAMF/CompanyCA.pem"
caIntCertLocation="/Library/Application Support/JAMF/YourIntermediate.cer" #Example: "/Library/Application Support/JAMF/CompanyCA.pem"
if [ "$4" != "" ] && [ "$caCertLocation" == "" ];then
caCertLocation=$4
fi
if [ "$5" != "" ] && [ "$caIntCertLocation" == "" ];then
caIntCertLocation=$5
fi
OS=/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'
if [ "$caCertLocation" == "" ] || [ ! -f "$caCertLocation" ]; then
echo "Error: No value was specified for the caCertLocation variable or the file does not exist. Please specify a value for the variable or ensure that you are running this script after installing the certificate."
exit 1
fi
if [[ "$OS" < "10.5" ]]; then
echo "Importing CA Cert..."
/usr/bin/certtool i "$caCertLocation" v k=/System/Library/Keychains/X509Anchors
else
echo "Importing CA Cert..."
/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$caCertLocation"
fi
if [ "$caIntCertLocation" == "" ] || [ ! -f "$caIntCertLocation" ]; then
echo "Error: No value was specified for the caIntCertLocation variable or the file does not exist. Please specify a value for the variable or ensure that you are running this script after installing the certificate."
exit 1
fi
if [[ "$OS" < "10.5" ]]; then
echo "Importing CA Cert..."
/usr/bin/certtool i "$caIntCertLocation" v k=/System/Library/Keychains/X509Anchors
else
echo "Importing CA Intermediate Cert…"
/usr/bin/security add-trusted-cert -d -r unspecified -k /Library/Keychains/System.keychain "$caIntCertLocation"
fi
```
Posted on 04-02-2012 01:45 PM
Thanks for sharing. Your script worked for me with our Internal Root CA and Internal Issuing CA. The use of "unspecified" was the trick I needed.
Jason
Posted on 04-02-2012 02:35 PM
Is an unspecified trust setting the desired result?
If you want the intermediate to be trusted, use trustAsRoot instead of unspecified.
Posted on 04-02-2012 08:12 PM
I am stumbling a bit in this area. I had used "trustRoot" for the Internal Issuing CA and that wasn't working correctly. I see in the man for security there is trustRoot and trustAsRoot. I'll look up the meaning and I'll give that a try tomorrow.
Posted on 04-03-2012 05:10 AM
@Nick
I hope you're not suggesting to explicitly trust your Intermediate certificate...
@Jason
I believe you want TrustAsRoot
Posted on 04-03-2012 05:14 AM
Hi Jared,
I got an e-mail about your reply before it was edited :P
We trust our internal root ca cert, we then have an intermediary for out MS Lync Server.. unless i implicity trust this lync cert for SSL the client will not connect.
Whoever, the root ca is fully trusted.. so i'm guessing something is wrong??
Posted on 04-03-2012 05:32 AM
Hi Ben-
So you saw my self editing in-process. Thought it was a little "throat jump down-y" so I walked it back.
So yeah as my original reply stated, you never want to trust an intermediate cert. Question though, you have an intermediate cert for your Lync server? Wouldn't you have a server cert? Or, do you mean that the Lync server cert was issued by your intermediate?
Let's get a look at what your certificate chain is first before we all get confused.
Posted on 04-03-2012 05:35 AM
yep ignore me & sorry OP for thread stealing.. i need to check what it is i'm seeing & get the right terminology before i ask the question in my own thread..
Posted on 04-03-2012 05:43 AM
Ben hit me off list.
jared dot nichols at fmr dot com