Trust installed certificate in Keychain via shell scripr

sk25
New Contributor III

Guys, We have installed 3rd party Root CA and Enterprise CA cert in keychain via Intune mdm and those are showing as non-trusted. Now I would like to know how to make those cert are trusted using shell script. Kindly help. Thanks.

8 REPLIES 8

AJPinto
Honored Contributor

The command to do this on older versions of macOS is below. However Apple removed the ability to force trust a certificate from CLI a few years ago, that would be the -k argument. To install a Certificate and force trust it you need to deploy with a configuration profile. Any other method will prompt a user for credentials. 

 

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <certificate>

 

sdagley
Esteemed Contributor

@sk25 Did you install the CA certificates via a Computer or User level profile? If they were installed as a User level profile they should be installed as Computer level.

sk25
New Contributor III

It's on computer level profile only.

sdagley
Esteemed Contributor

@sk25 Try this:

  1. Manually import the CAs to the System keychain on a test Mac and set the trust level on them
  2. Export the trusted CAs
  3. Create a new Configuration Profile in your JSS and upload the CAs you exported in Step 2 to a Certificate payload
  4. Push that configuration profile to another test Mac at the computer level and see if they are trusted

sk25
New Contributor III

This is sounds like a plan.. Will check and revert. Thanks.

sk25
New Contributor III

I'm sorry.. It doesn't work at all..

eos_bebu
New Contributor II

Hi,
we used a similar workaround like @AJPinto mentioned with the script..

  1. find and export the certificate from the user keychain to a temporary place
  2. manipulate the authorizationdb to tempoary allow edit of the system keychain
  3. run the command from AJPinto "security add-trusted-cert -d -r trustAsRoot -k <cert>" 
  4. remove manipulation of authorizationdb 
  5. remove temporary certificate 

this was the only solution which worked silently for us. If you find a better solution let me know