Script Pushing a certificate and dealing with Google's change to encrypted searches...

GabeShack
Valued Contributor III

Hey all,
So since a few weeks ago we have been trying to implement a solution to having our content filter work with encrypted searches from Google. We have a sonic wall and the recommendation is to turn on DPI-SSL or deep packet inspection. To do this though I have to push a certificate to all machines to allow the sonic wall as a trusted source. I have been working with the importCACert.sh file from here and can't seem to get it to work.

BTW I'm not the best at scripting and I'm sure I just left something out so any help would be great!

No matter what I try I'm still getting the Error as follows "No value was specified for the caCertLocation variable or the file does not exist. Please specify a value for the variable or ensure that you are running this script after installing the certificate."

I have already placed the .cer file into a folder I created in the directory /Library/Application Support/JAMF/Certs
but continue to get the same error.

My variables look like this:

# HARDCODED VALUES ARE SET HERE
caCertLocation="/Library/Application Support/JAMF/Certs/SonicWall_DPI-SSL_CA.cer" #Example: "/Library/Application Support/JAMF/CompanyCA.pem"

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "caCertLocation"
if [ "$4" != "" ] && [ "$caCertLocation" == "" ];then
    caCertLocation=$4
fi

Any ideas?
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools
6 REPLIES 6

cdenesha
Valued Contributor III

I've only played with bash scripting a couple of times, but let's see if I can help.

Figure out where it is breaking down by echoing out the variables and then run from the command prompt.

echo $4
echo $caCertLocation

nkalister
Valued Contributor

that import CAcert script is crazy, I never use it.

All you need is a pkg that drops the certificates on the hard drive, then in your postlfight script, run this command if it's a root cert

security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/the/cert/file

if it's an intermediate cert, use this command to install it to your keychain

security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /path/to/the/cert/file

make sure to scroll to see the entire command! they're both cut off on the right.

bentoms
Release Candidate Programs Tester

Why not via a config profile?

tkimpton
Valued Contributor II

+1 for config profile :)

nkalister
Valued Contributor

yeah, nothing wrong with a config profile. i made my certificate package before profiles were a thing . . . . If I was doing it now, I'd probably use a profile, too, so ignore me and use a profile! :)

bentoms
Release Candidate Programs Tester

Used that script too on 10.6. But when 10.7 came around moved to config profiles.

Especially handy as our internal CA Cert expires annually. :(