I can easily set a Root CA cert to "Never Trust" from within Keychain Access. However, I want to do this on the command line so that I can just send it out as a policy.
I've considered creating a new System Roots keychain and then doing a replacement of the old one, but that seems to run into a dead end.
Any other ideas?
Thanks,
Damien
As it happens, I just saw this entry on how to remove a Root CA from the System Keychain:
http://radiotope.com/content/remove-certificate
Thanks,
Rich
I've used this to install new certs, part of the package deploys the new
certs to /tmp
Then this script picks them up and applies them.
If you need to delete, from the man page for /usr/bin/security
delete-certificate Delete a certificate from a keychain.
-----
#!/bin/bash
# post installation KeyChain secruity scripting for system Root
certificates
/usr/bin/security add-trusted-cert -d -r trustAsRoot -k
"/Library/Keychains/System.keychain" "/tmp/2011/foo.bar.com"
/usr/bin/security add-trusted-cert -d -r trustRoot -k
"/Library/Keychains/System.keychain" "/tmp/2011/IssuingCA"
------
Hope this helps.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.