Intermediate cert trust setting, need documentation

New Contributor III

Can anyone point me to documentation on how to set/configure proper trust settings of Intermediate certificates?

Our parent org sent me a package installer containing a new PIV certificate chain and installation script. Once installed on a 10.11 or 10.12 Mac, the certificates do not work for authentication i.e. PIV-based auth in Cisco AnyConnect fails with "certificate validation failure". I looked in the System keychain and the new cert chain has "custom" trust settings of "Always Trust" (set by script in the pkg).

I thought i read somewhere that Intermediate certs default setting should be "unspecified" when using security command, or "use system defaults" when using Keychain Access. Sure enough, once I changed trust setting of both certs to "unspecified" using the security command, my authentication issue was solved.

So even though it may seem right to "always trust" an intermediate cert, Macs require them to use system defaults as trust setting to function properly.

i would like to pass my findings up the chain, in hopes that next time I wont have to reverse engineer and fix their pkg. Can't seem to find solid technical documentation to support my findings/results. If anyone can point me in the right direction I would appreciate it!