Help

Removing Digitnotar certificates

talkingmoose
Moderator
Moderator

Posted on ‎09-08-2011 11:13 AM

If you're not familiar with the Diginotar debacle, this is a Certificate
Authority whose servers were compromised and had fraudulent SSL
certificates issued. If your users hit any of the sites with these
fraudulent certificates then they are subject to spoofed content, phishing
attacks or man-in-the-middle attacks. Microsoft is actually releasing an
out-of-cycle patch to address this issue.

Unfortunately, this exposed a problem with Mac OS X's ability to warn
users who decided to "untrust" these root certificates. It doesn't work.
So far, Apple hasn't released an update to correct this. Mac users are
advised to remove the certificate completely.

More information:

"Microsoft Security Advisory (2607712)"
<http://www.microsoft.com/technet/security/advisory/2607712.mspx>

"Safari users still susceptible to attacks using fake DigiNotar certs"
<http://arstechnica.com/apple/news/2011/09/safari-users-still-susceptible-t
o-attacks-using-fake-diginotar-certs.ars?utm_source=rss&utm_medium=rss&utm_
campaign=rss>

"Removing DigiNotar Trust in OS X"
<http://krypted.com/mac-os-x/7068/>

Our Corp IT folks passed down a mandate to remove the Diginotar
certificates from our machines and so I devised the following method to
remove them from our Macs and make record of their removal. Hope folks
find it useful.

  1. Create an extension attribute populated by the following script:

#!/bin/sh

CONTENTS=$(security find-certificate -e info at diginotar.nl
"/System/Library/Keychains/SystemRootCertificates.keychain")

if ( test "$CONTENTS" ) then RESULT="Certificate installed."
else RESULT="Certificate not installed."
fi

echo "<result>$RESULT</result>"

  1. Create a smart group to list Macs found by the extension attribute with
    "Certificate installed." I have this group set to email me when anything
    changes.

  2. Create an ongoing policy triggered by "any" and scoped to the smart
    group that will run the following command:

security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C
"/System/Library/Keychains/SystemRootCertificates.keychain"

and to inventory the machine.

To kickstart the process I'm using Casper Remote and ARD to quickly
inventory my machines and get whether the Diginotar certificate is
installed. The policy will take over from there and remove it.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

0 Kudos
Reply
5 REPLIES 5

ImAMacGuy
Valued Contributor II

Posted on ‎09-09-2011 10:08 AM

Thank you for this!

I do have a small problem though - when the removal runs against the smart group machines it returns that it can't remove the certificate.
And when I save the following as a command it removes the "s and replaced with &quot, so I removed the "s from it...

security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C "/System/Library/Keychains/SystemRootCertificates.keychain"

John Wojda
Lead System Engineer, DEI & Mobility
3333 Beverly Rd.  B2-338B
Hoffman Estates, IL 60179
Phone:  (847)286-7855
Page:  (224)532.3447
Team Lead DEI: Matt Beiriger
Team Lead Mobility: Chris Sta Ana
                   Mac Tip/Tricks/Self Service & Support

"Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan"

0 Kudos
Reply

talkingmoose
Moderator
Moderator

Posted on ‎09-09-2011 10:30 AM

On 9/9/11 12:08 PM, "Wojda, John" <John.Wojda at searshc.com> wrote: Thank you for this!

Glad folks are finding this useful! :-)

I do have a small problem though - when the removal runs against the smart group machines it returns that it can't remove the certificate.

Not sure what's happening. If you manually run the below command in the
Terminal does that work?

And when I save the following as a command it removes the "s and replaced with &quot, so I removed the "s from it... security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C "/System/Library/Keychains/SystemRootCertificates.keychain"

Removing quotes should be fine. This path has no spaces or special
characters to escape.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

0 Kudos
Reply

golbiga
Contributor III
Contributor III

Posted on ‎09-09-2011 10:33 AM

Apple also just released the security update that removes the bad cert.

Allen

0 Kudos
Reply

bentoms
Release Candidate Programs Tester

Posted on ‎09-09-2011 10:39 AM

Looks like apple have released an update.

http://support.apple.com/kb/HT4920

Regards,

Ben.

0 Kudos
Reply

talkingmoose
Moderator
Moderator

Posted on ‎09-09-2011 10:44 AM

Just saw that. A much better solution.
On 9/9/11 12:39 PM, "Ben Toms" <bentoms at btopenworld.com> wrote:

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

0 Kudos
Reply