Trust installed certificate in Keychain via shell scripr

sk25
Contributor

Guys, We have installed 3rd party Root CA and Enterprise CA cert in keychain via Intune mdm and those are showing as non-trusted. Now I would like to know how to make those cert are trusted using shell script. Kindly help. Thanks.

13 REPLIES 13

jamf-42
Valued Contributor II

AJPinto
Esteemed Contributor

The command to do this on older versions of macOS is below. However Apple removed the ability to force trust a certificate from CLI a few years ago, that would be the -k argument. To install a Certificate and force trust it you need to deploy with a configuration profile. Any other method will prompt a user for credentials. 

 

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <certificate>

 

Guys, I implemented this 'trustRoot' script in Intune for MacOS to make the certificate trust by itself.. But it's not working.. Still the certificate showing as 'This root certificate is not trusted'. Kindly advice.

AJPinto
Esteemed Contributor

As I mentioned in the post above you cannot do this with CLI on modern versions of macOS. Certificates should be deployed with a Configuration Profile, not with CLI.

eos_bebu
New Contributor II

In General your statement is correct, but in this case the certificate is deployed by Microsoft Azure due enrollment with the company Portal app. 
Also there is no certificate chain currently available from Microsoft to be deployed within a configuration profile. 

i will try to anynomize my script we currently use and which scope is set and how within the next days. 

But for now I can share this much: 

when a Mac is registered with company portal, we use an EA to valide the information stored in the jamfaad.plist. If the information is okay, the Mac is scoped into a smart group and the policy runs once to “whitelist” the deployed certificate with a script. I will post the script separately. 

Does anyone already uses the new compliance connector ? Do the macs register in intune with Jamf connect? 

sdagley
Esteemed Contributor II

@sk25 Did you install the CA certificates via a Computer or User level profile? If they were installed as a User level profile they should be installed as Computer level.

It's on computer level profile only.

sdagley
Esteemed Contributor II

@sk25 Try this:

  1. Manually import the CAs to the System keychain on a test Mac and set the trust level on them
  2. Export the trusted CAs
  3. Create a new Configuration Profile in your JSS and upload the CAs you exported in Step 2 to a Certificate payload
  4. Push that configuration profile to another test Mac at the computer level and see if they are trusted

This is sounds like a plan.. Will check and revert. Thanks.

I'm sorry.. It doesn't work at all..

eos_bebu
New Contributor II

Hi,
we used a similar workaround like @AJPinto mentioned with the script..

  1. find and export the certificate from the user keychain to a temporary place
  2. manipulate the authorizationdb to tempoary allow edit of the system keychain
  3. run the command from AJPinto "security add-trusted-cert -d -r trustAsRoot -k <cert>" 
  4. remove manipulation of authorizationdb 
  5. remove temporary certificate 

this was the only solution which worked silently for us. If you find a better solution let me know

@eos_bebu I ran the below script manual and it worked well. So deployed in MDM solution and waiting for the status. May check the below script from your end and let me know status.

#! /bin/sh
sudo mkdir /Users/Shared/cert/
certlocation="/Users/Shared/cert/"
declare -a rootcert=( 'XX-Root-CA.cer' );
declare -a enterprisecert=( 'XX-Enterprise-CA.cer' );
cat <<EOF | base64 -D > /Users/Shared/cert/XX-Root-CA.cer
<XXX certification content goes here>
EOF
 
cat <<EOF | base64 -D > /Users/Shared/cert/XX-Enterprise-CA.cer
<XXX certification content goes here>
EOF
 
for cert in "${rootcert[@]}"
do
sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain -r trustRoot "$certlocation$cert"
echo "Installed Root Certificate: $cert"
done
 
for cert in "${enterprisecert[@]}"
do
sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain -r trustAsRoot "$certlocation$cert"
echo "Installed Enterprise Certificate: $cert"
done
 
sleep 10
sudo rm -R /Users/Shared/cert/

eos_bebu
New Contributor II

Hi,
It seems that you create a certificate with this script and add it to the keychain - correct? If so, you should consider deploying it via Configuration Profile.