Verify the Existence of a System.keychain Certificate?

dstranathan
Valued Contributor II

I'm pondering the idea of leveraging a Extension Attribute that could theorietically report/verify the existence of a specific root CA certificate in the OS X System Keychain. Based on the results it yields, I could add/delete certificate(s) as needed via scripts/policies, etc.

Has anyone invented this wheel yet?

6 REPLIES 6

mm2270
Legendary Contributor III

Not something exactly like what you described, but I have an EA written a long while back that, among other things, looks for the computer's AD keychain entry in the System.keychain and verifies its valid (as part of a larger "is this Mac still joined to AD?" type EA script)

Checking for certs in the system.keychain is definitely doable with the security command, so yeah, you can do something like that for sure.

mm2270
Legendary Contributor III

Just to make my post a little more useful, here's a basic EA that should work to do what you're looking for. Just edit the CERTNAME variable to the name of the Root CA or other cert you're looking for. It will create either a "Yes" or "No" EA result.

#!/bin/bash

CERTNAME="<Put Root CA Name here>"

## Default result. Gets changed to "Yes" if the Root CA is found
result="No"

while read cert_entry; do
    if [ "$cert_entry" == "$CERTNAME" ]; then
        result="Yes"
    fi
done < <(security find-certificate -a /Library/Keychains/System.keychain | awk -F'"' '/alis/{print $4}')

echo "<result>$result</result>"

dstranathan
Valued Contributor II

That's exactly was I was imagining. Thank you sir.

Dhuhindhan
New Contributor

Hi @mm2270 i am trying to find the certificate called ISRG Root X1 from System Roots on the keychain but the result is not coming correctly I guess the script is not checking the attributes correctly, Looking for help.

#!/bin/bash

CERTNAME="<ISRG Root X1>"

## Default result. Gets changed to "Yes" if the ISRG Root X1 is found
result="No"

while read cert_entry; do
if [ "$cert_entry" == "$CERTNAME" ]; then
result="Yes"
fi
done < <(security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain | grep "alis" | sed 's/"//g' | sed 's/ alis<blob>=//g')

echo "<result>$result</result>"

This is the script I am using on the EA

mm2270
Legendary Contributor III

@Dhuhindhan Are you actually entering the certificate name as <ISRG Root X1> in the variable? Because the < and > characters are not supposed to be included. I just put that there in my example script to indicate it was a variable. Sorry if that wasn't clear. Change it to CERTNAME="ISRG Root X1" and try again.

Second thing is, the security find-certificate line can be simplified to get a cleaner list. Change that out to this:

security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain | /usr/bin/awk -F'"' '/alis/{print $4}'

Also verify that the name of the certificate actually shows up that way when viewing it in the command line. It would be whatever shows up in the security command output above. Check to make sure the certificate shows up with the name you're using in the variable.

I was actually looking at doing this too similar as above and though I have the cert it shows No