Help

Trust installed certificate in Keychain via shell scripr

sk25
Contributor

Posted on ‎05-24-2023 02:40 AM

Guys, We have installed 3rd party Root CA and Enterprise CA cert in keychain via Intune mdm and those are showing as non-trusted. Now I would like to know how to make those cert are trusted using shell script. Kindly help. Thanks.

0 Kudos
Reply
13 REPLIES 13

jamf-42
Valued Contributor II

Posted on ‎05-24-2023 02:45 AM

maybe this will help, random search.. https://stackoverflow.com/questions/35031149/set-imported-certificate-to-always-be-trusted-in-mac-os...

0 Kudos
Reply

AJPinto
Honored Contributor III

Posted on ‎05-24-2023 04:41 AM

The command to do this on older versions of macOS is below. However Apple removed the ability to force trust a certificate from CLI a few years ago, that would be the -k argument. To install a Certificate and force trust it you need to deploy with a configuration profile. Any other method will prompt a user for credentials. 

 

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <certificate>

 

Reply

sk25
Contributor
In response to AJPinto

Posted on ‎07-03-2023 01:23 AM

Guys, I implemented this 'trustRoot' script in Intune for MacOS to make the certificate trust by itself.. But it's not working.. Still the certificate showing as 'This root certificate is not trusted'. Kindly advice.

0 Kudos
Reply

AJPinto
Honored Contributor III
In response to sk25

Posted on ‎07-04-2023 06:54 AM

As I mentioned in the post above you cannot do this with CLI on modern versions of macOS. Certificates should be deployed with a Configuration Profile, not with CLI.

0 Kudos
Reply

eos_bebu
New Contributor II
In response to AJPinto

Posted on ‎07-04-2023 08:33 AM

In General your statement is correct, but in this case the certificate is deployed by Microsoft Azure due enrollment with the company Portal app. 
Also there is no certificate chain currently available from Microsoft to be deployed within a configuration profile. 

i will try to anynomize my script we currently use and which scope is set and how within the next days. 

But for now I can share this much: 

when a Mac is registered with company portal, we use an EA to valide the information stored in the jamfaad.plist. If the information is okay, the Mac is scoped into a smart group and the policy runs once to “whitelist” the deployed certificate with a script. I will post the script separately. 

Does anyone already uses the new compliance connector ? Do the macs register in intune with Jamf connect? 

0 Kudos
Reply

sdagley
Esteemed Contributor II

‎05-24-2023 05:04 AM - edited ‎05-24-2023 05:04 AM

@sk25 Did you install the CA certificates via a Computer or User level profile? If they were installed as a User level profile they should be installed as Computer level.

0 Kudos
Reply

sk25
Contributor
In response to sdagley

Posted on ‎05-24-2023 09:32 AM

It's on computer level profile only.

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to sk25

Posted on ‎05-24-2023 12:07 PM

@sk25 Try this:

  1. Manually import the CAs to the System keychain on a test Mac and set the trust level on them
  2. Export the trusted CAs
  3. Create a new Configuration Profile in your JSS and upload the CAs you exported in Step 2 to a Certificate payload
  4. Push that configuration profile to another test Mac at the computer level and see if they are trusted
0 Kudos
Reply

sk25
Contributor
In response to sdagley

Posted on ‎05-24-2023 10:08 PM

This is sounds like a plan.. Will check and revert. Thanks.

0 Kudos
Reply

sk25
Contributor
In response to sdagley

Posted on ‎05-26-2023 09:57 AM

I'm sorry.. It doesn't work at all..

0 Kudos
Reply

eos_bebu
New Contributor II
In response to sk25

Posted on ‎05-30-2023 06:50 AM

Hi,
we used a similar workaround like @AJPinto mentioned with the script..

  1. find and export the certificate from the user keychain to a temporary place
  2. manipulate the authorizationdb to tempoary allow edit of the system keychain
  3. run the command from AJPinto "security add-trusted-cert -d -r trustAsRoot -k <cert>" 
  4. remove manipulation of authorizationdb 
  5. remove temporary certificate 

this was the only solution which worked silently for us. If you find a better solution let me know

0 Kudos
Reply

sk25
Contributor
In response to eos_bebu

Posted on ‎06-02-2023 02:59 AM

@eos_bebu I ran the below script manual and it worked well. So deployed in MDM solution and waiting for the status. May check the below script from your end and let me know status.

#! /bin/sh
sudo mkdir /Users/Shared/cert/
certlocation="/Users/Shared/cert/"
declare -a rootcert=( 'XX-Root-CA.cer' );
declare -a enterprisecert=( 'XX-Enterprise-CA.cer' );
cat <<EOF | base64 -D > /Users/Shared/cert/XX-Root-CA.cer
<XXX certification content goes here>
EOF
 
cat <<EOF | base64 -D > /Users/Shared/cert/XX-Enterprise-CA.cer
<XXX certification content goes here>
EOF
 
for cert in "${rootcert[@]}"
do
sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain -r trustRoot "$certlocation$cert"
echo "Installed Root Certificate: $cert"
done
 
for cert in "${enterprisecert[@]}"
do
sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain -r trustAsRoot "$certlocation$cert"
echo "Installed Enterprise Certificate: $cert"
done
 
sleep 10
sudo rm -R /Users/Shared/cert/
0 Kudos
Reply

eos_bebu
New Contributor II
In response to sk25

Posted on ‎07-04-2023 11:11 PM

Hi,
It seems that you create a certificate with this script and add it to the keychain - correct? If so, you should consider deploying it via Configuration Profile. 

 

0 Kudos
Reply