Microsoft Root Certificate

Valued Contributor

Does anyone knows how to add Microsoft Root Certificate on base build. Or
anybody managed to package it?

I am pulling my hair out.... :(



Not applicable

Give me your specs for this, I had to install a few certs a while ago for
entourage to use against exchange.
-- Sean Gallagher
Sr. Platform Engineer
The Children's Hospital of Philadelphia
100 Penn Square East 7th Flr.
Phila, PA. 19107


Is this certificate for "Microsoft" the company or are you asking how to
On 7/3/10 5:37 PM, "Baykara, Cem" <Cem.Baykara at BSKYB.COM> wrote:
install a root certificate from a local Windows server on your network?


William Smith
Technical Analyst
MCS IT, Saint Paul
(651) 632-1492

Valued Contributor

I have a cert file given to me by our exchange admin guys. I will be using
this for OCS (MSNv702 Mac Client) and Entourage EWS to use against
Thanks for the rescue

Valued Contributor

How to install a root certificate from a local Windows server on your
Thanks for clearing that out William


Date: Tue, 6 Jul 2010 10:18:33 -0500

Valued Contributor II

Are you trying to install this in the System keychain, or the users' login keychain?

I had to do the latter, so I developed a .pkg to put it into /Users/Shared, and a script which imported the certificate for the current user, and marked it as trusted.

I'll have to dig out the script tomorrow...


Valued Contributor

That sounds brilliant Robert. Will this method work for newly created accounts like AD accounts?

Sent from my iPhone

Not applicable

If memory serves me right you should be able to take the following steps on
your base build:
1. Open Keychain 2. Select 'Add Keychain...' under File
3. Add x509Anchors located at /System/Library/Keychains
4. Double click your cert and add it to X509Anchors

Again, if memory serves me right, these are the steps I took to enable

Good luck.

Valued Contributor

I know this has been a while...I now managed to find a time to look in to

I have packaged the .cer files and created a Self Service item.
However my script works intermittently!! I think I will need some advise
about home directory wildcard. "/Users/*/Library/Keychains/login.keychain"

If I run the commands locally from terminal it works. But only
intermittently works by using Self Service.

I get this error:
Running Script
Script Exit Code:0

Here is the script:

# This script installs CA Cert files from the path /Users/Shared/ imports
them in to user keychain then deletes them

sudo security add-trusted-cert -d -k
/Users/*/Library/Keychains/login.keychain /Users/Shared/Root CA.cer

/bin/sleep 5 #allow some time

sudo security add-trusted-cert -d -k
/Users/*/Library/Keychains/login.keychain /Users/Shared/Policy CA.cer

/bin/sleep 5 #allow some time

sudo security add-trusted-cert -d -k
/Users/*/Library/Keychains/login.keychain /Users/Shared/SERVER.cer

/bin/sleep 5 #allow some time

sudo rm /Users/Shared/Root CA.cer
sudo rm /Users/Shared/Policy CA.cer
sudo rm /Users/Shared/SERVER.cer

#Display Dialog
/usr/sbin/jamf displayMessage -message "CA Certificates Imported"


Valued Contributor

Hello everybody,

I have spent bit more time on my off day (I think I should go out more
-sad-) and find out little bit more...

I am now trying to get only 1 certificate file to be imported in to logged
in user's keychain, if this works I will implement this method to the rest
of the certificate files.

I have a command line that works fine through ARD Unix Command (not root)
and locally from Terminal. But doesn't work through Casper Suite!! I have
tried script and Run Command from Policy and Casper Remote also Self

Here is the command (see below), it points to the cert file from
/Users/Shared/ path. Command is user level and requires logged user to put
their pw to run (pw prompt works with Casper too, but after putting the pw
user's keychain still doesn't populate).

security add-trusted-cert -k ~/Library/Keychains/login.keychain
/Users/Shared/Root CA.cer

Am I missing something??

Any help will be appreciated?


Valued Contributor

I think because Casper logs-in through ssh with its managed account, it executes the command for this account only. Not for the logged in user.
I have tried $3 ~/Users/pathtofile also $1 too, but still didn't work.

Is there a way to execute a script or command that points to logged in users home folder path using Casper Suite?

This is the log.
/usr/sbin/jamf is version 7.31
Executing Policy import CA Certificate...
Downloading http://serverip:80/CasperShare/Packages//Policy Shared CA.cer.dmg...
Verifying DMG...
Installing Policy Shared CA.cer.dmg...
Closing package...
Running command security add-trusted-cert -k ~/Library/Keychains/login.keychain /Users/Shared/Root CA.cer...
Result of command:
SecCertificateAddToKeychain: The specified keychain could not be found.

This is where the problem is: The specified keychain could not be found

Have a great Sunday


Sent from my iPad

Valued Contributor

Jared , you have nailed it…works like a charm :)

Thanks everyone for helping me.

New Contributor III

Try adding “sudo –u $3” before your command to force the command to run as the logged in user.

Bill Henkel
Computer Technician
Telephone Support Specialist
henkelb at<mailto:henkelb at>
fax: 608-785-9287

New Contributor

If you're having problems with $3 and $1, you could always try to assign your own variable with "id -un". It may be helpful to consider that the script below can make a folder called "test" at the root of the current users home directory.


currentuser=id -un
mkdir /Users/$currentuser/test

-Matt Wright

Honored Contributor

$3 only returns the current user as a log in policy, otherwise the
framework will not pass $3 as the current user if it is not during the
log in process. Now, when a user logs in the console is now owned by
them. So, I like to look at who owns /dev/console. If you are at the
login window root will own it, this is a pretty solid method of
determining what user is logged in. Since casper runs all scripts as
root checking anything by using something like whoami will always return
false results.

I use this

CurrentUser=/bin/ls -l /dev/console | /bin/awk '{ print $3 }'

When I do a root session via sudo -s, which would be the same
environment as Casper running their scripts I get different results
using the id command, see example:

bash-3.2# id -un root

However, I am logged in as tlarkin but my current shell session is
running as root via sudo -s. If you look at the jamf runScript command
it will display a syntax for you to pass your own parameters in the

New Contributor

Another userful approach to assigning your own variable for current user might be:

currentuser=last -1 | awk '{print $1}'


Honored Contributor

To install certs in the user's keychains, we do this:

##Grab current console owner and set to a variable for use later
user=ls -l /dev/console | cut -d " " -f 4

security add-trusted-cert -d -u 0,1,2,3,4,5,6,7,8,9,10,11 -k /Users/$user/Library/Keychains/login.keychain /Library/Application Support/<redacted path to cert>

Or if you need to so something on the user's behalf, you can do:

sudo -u $user security delete-certificate -Z <Redacted SHA-1 Hash of certificate> /Users/$user/Library/Keychains/login.keychain
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420

Valued Contributor

I just realised, after I import certs with this command I had to fix the login keychain permissions with Keychain First Aid. On 10.6, I needed it log out and log back in…other wise doesn't allow user to add anything to login keychain??!!

Any ideas? Did you experiment this behaviour?


Valued Contributor

This is what I get from Keychain First Aid:

Verification started

Checking keychain configuration for xxxMxXXXxx (user ID=502)

Home directory is /Users/bskyb

Checked login keychain

User differs on ~/Library/Keychains/login.keychain, should be 502, owner is 0

Checked default keychain

Checked keychain search list

Checked contents of ~/Library/Keychains/login.keychain

Checked contents of ~/Library/Keychains/Microsoft_Intermediate_Certificates

Checked contents of ~/Library/Application Support/Adobe/AIR/ELS/com.adobe.amp.xxxxxxxxxxxxxxxxxxxxxxxxxxx.1/PrivateEncryptedDatak

Problems were found; you should choose the Repair option to fix them

Verification failed

Is there command to run the Keychain First Aid Repair, so I can add in to the end of the script?


Not applicable

That is exactly what I had. My script was set to run at login for each user, but ownership was given to root. Once I added this line everything was good again.

chown -R $3 /Users/$3/Library/Keychains/


Honored Contributor

UID 0 is root, looks like somehow root owns that certificate, probably
because you had Casper run a script or command, which executes as root. A simple chown with the user as a last step would remedy this, or
perhaps a fill existing user in the policy would apply ownership to all
existing users I believe.

Valued Contributor

So I have done it this way and it works perfectly well…

##Grab current console owner and set to a variable for use later
user=ls -l /dev/console | cut -d " " -f 4

security add-trusted-cert -d -u 0,1,2,3,4,5,6,7,8,9,10,11 -k /Users/$user/Library/Keychains/login.keychain /Library/Application Support/<redacted path to cert>

chown -R $user /Users/$user/Library/Keychains/