Importing trusted SSL certificate with certtool

Question

Importing trusted SSL certificate with certtool

Hi,

I have a .pem file that I want to deploy to 100 macs using ARD.
I can copy the .pem file to each machine, then execute the following unix command:

certtool i /filelocation/certificate.pem

This works fine, but the certificate is still showing up as "untrusted".
If I manually open the keychain access application, go to the certificate, double click it, then expand the trust arrow, and choose "always trust" this achieves the desired effect.

However, I wish to know the unix command (certtool?) to set this certificate as trusted - so that I can remotely make this change without visiting each individual mac and opening keychain access etc.

Does anyone know what this is? Or am I missing something fundamental?

Many thanks in advance.

FZ

Mac Mini, Mac OS X (10.5.6)

Posted on Jan 6, 2009 6:27 AM

Reply

Answer 1

foilpan

Level 4

1,385 points

Jan 6, 2009 6:41 AM in response to fatherzimfire

it looks like /usr/bin/security will do what you want with the "add-trusted-cert" option.

Reply

Answer 2

Jan 6, 2009 7:18 AM in response to foilpan

Hi,

Thanks for responding so quickly!

Anyway, that command is all great in theory, but firstly it prompts the remote machine, with a GUI password prompt (which is a no no!) , even when attempting the -q switch to suppress verbose nagging..
Also, it doesn't seem to work - the certificate still appears as untrusted in the list...
Do you have to specify the certificate name, or the .pem file name, with this command?
Any further ideas?

Many thanks again.

FZ

Message was edited by: fatherzimfire

Reply

Answer 3

foilpan

Level 4

1,385 points

Jan 6, 2009 7:47 AM in response to fatherzimfire

hmmm… that's lame. i wonder if it's requesting that the keychain be unlocked first and throwing up the authentication dialog for the keychain. still, it shouldn't do that.

the security command is the only way i've seen to do such things, but there's got to be a reasonable way to use it without user intervention. at least one would hope…

i'll try a few things here and post back.

Reply

Answer 4

Jan 6, 2009 8:08 AM in response to foilpan

Thanks very much again for your help - anything you could come up with would be useful.
I'm surprised this isn't better documented - surely using SSL encrypted web services within a corporate network, and wanting to push out certificates isn't that unusual a request?

That aside, it doesn't appear to be the keychain app requesting the password, rather the "security" app itself. I can provide any further info if it'd help.

Many thanks again - your advice is much appreciated.

FZ

Reply

Answer 5

Jan 6, 2009 5:17 PM in response to fatherzimfire

Have you tried '/usr/bin/keytool'

see the examples listed in the man page.

Message was edited by: Nils C. Anderson

Reply

Answer 6

Jan 6, 2009 7:04 PM in response to Nils C. Anderson

Nevermind, it looks like keytool is only for java.

Reply

Answer 7

Linc Davis

Level 10

209,739 points

Jan 6, 2009 8:50 PM in response to fatherzimfire

The settings for trusted certificates are stored in the System keychain (/Library/Keychains/System.keychain), and possibly also in /System/Library/Keychains/SystemTrustSettings.plist -- I'm not sure, you'd have to look into that. So if you want all the clients to trust the same set of certificates, it may be enough to distribute one or both of those files. You'd have to test this solution, I haven't tried it.

Reply

Answer 8

Jan 9, 2009 3:22 AM in response to Linc Davis

Thanks for that suggestion - I did try that, but I was concerned about overwriting any existing settings that may have been in there.
My main concern however, is that the certificate was still showing up as untrusted, when using this technique. I also have 10.4 clients that need this certificate to work.. 😟

FZ

Reply

Answer 9

Jan 9, 2009 3:23 AM in response to foilpan

Hi Foilpan,

Did you manage to test this?
Many thanks.

FZ

Reply

Answer 10

foilpan

Level 4

1,385 points

Jan 10, 2009 6:53 AM in response to fatherzimfire

unfortunately, i haven't gotten very far.

according to this page and others ( http://gagravarr.org/writing/openssl-certs/others.shtml), importing trusted certs may require use of keychain access as of 10.5.

i'll take another look.

Reply

Answer 11

Jan 12, 2009 6:29 AM in response to fatherzimfire

Thanks for everyone's help and comments on this thread.
It appears that there is no documented way of doing this silently on 10.5, at least as of yet.

Interestingly enough, as a quick fix we have worked around this issue by registering the trusted certificate externally with Comodo. This way the site works straight away as Comodo are already in the trusted sites list for all our macs and PCs. Going forward it would be great to get our internal Windows SSL cert server recognised by all of our 10.4 and 10.5 macs (particularly 10.5, as the 10.4 machines will be upgraded soon).

Regards,

FZ

Reply