Help

Remove CA From System Roots?

Not applicable

Posted on ‎08-30-2011 02:16 PM

I can easily set a Root CA cert to "Never Trust" from within Keychain Access. However, I want to do this on the command line so that I can just send it out as a policy.

I've considered creating a new System Roots keychain and then doing a replacement of the old one, but that seems to run into a dead end.

Any other ideas?

Thanks,
Damien

0 Kudos
2 REPLIES 2

rtrouton
Release Candidate Programs Tester

Posted on ‎08-30-2011 02:19 PM

As it happens, I just saw this entry on how to remove a Root CA from the System Keychain:

http://radiotope.com/content/remove-certificate

Thanks,
Rich

0 Kudos

Jak
New Contributor III

Posted on ‎08-31-2011 02:09 AM

I've used this to install new certs, part of the package deploys the new
certs to /tmp
Then this script picks them up and applies them.

If you need to delete, from the man page for /usr/bin/security

delete-certificate Delete a certificate from a keychain.

-----

#!/bin/bash

# post installation KeyChain secruity scripting for system Root
certificates

/usr/bin/security add-trusted-cert -d -r trustAsRoot -k
"/Library/Keychains/System.keychain" "/tmp/2011/foo.bar.com"
/usr/bin/security add-trusted-cert -d -r trustRoot -k
"/Library/Keychains/System.keychain" "/tmp/2011/IssuingCA"

------

Hope this helps.

0 Kudos