Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: how do I update list of trusted root certificate authorities

There must be a way to tell OSX to go out and update it's certificate authorities. Our campus has a valid trusted certificate for its Virtual Desktop Interface servers & all our windows machines verify the cert without even asking. Windows also updates root certificates regularly and way in the long past I have had to manually update certificate authorities on windows.


But OSX ElCap with all the latest mac updates reject the VDI cert and don't even give me the option to accept it and I have to Manually download it & tell the system to trust the root certificate authority involved.


Isn't there a way to tel ElCap to update its list of certificate authorities?? A cert update commandline??

null-OTHER, iOS 10.1.1, El Capitain fully updated

Posted on

Reply
Question marked as Helpful

Mar 9, 2018 1:35 PM in response to my library In response to my library

Yes and no. Sometimes it will be updated if a new macOS upgrade has occurred. If your computer needs an additional certificate for a website you visit, then they need to provide it for you. You cannot create a certificate for them. If they do not have one then you can try setting their keychain entry from Not Trusted to Always Trust if you feel you can trust the site not to perform any malicious activities.

There’s more to the conversation

Read all replies

Page content loaded

Question marked as Helpful

Mar 9, 2018 1:35 PM in response to my library In response to my library

Yes and no. Sometimes it will be updated if a new macOS upgrade has occurred. If your computer needs an additional certificate for a website you visit, then they need to provide it for you. You cannot create a certificate for them. If they do not have one then you can try setting their keychain entry from Not Trusted to Always Trust if you feel you can trust the site not to perform any malicious activities.

Mar 9, 2018 1:35 PM

Reply Helpful (1)

Mar 9, 2018 1:02 PM in response to Kappy In response to Kappy

Unfortunately In our situation I can't use any manual update method that only updates certificates for one user. We have a Lab on Active Directory and every user that logs in gets a fresh new user profile created on the Mac, also drives are locked down with DeepFreeze so it has to do that for every user every time they login.


The only way I can see this update working now after hearing OSX does not update certificate authorities is for our Lab to take DeepFreeze off and find a way of loading the certificate authority to the system key chain that all users share and make it Trusted there.


A frustrating and depressing prospect because if that doesn't work I have no options.

Mar 9, 2018 1:02 PM

Reply Helpful

Mar 9, 2018 1:26 PM in response to Kappy In response to Kappy

Thank you for your help but like I was saying it is a good certificate accepted everywhere. I'm not 100% sure what is new with it I think it is a new branch of the Comodo certificate authority that covers more types of certificates than they did before.


The only trouble I have with it is that ElCaptain does not recognize this authority name yet so originally I was hoping there was an easy way to have OSX update it's list of certificate authorities.

Mar 9, 2018 1:26 PM

Reply Helpful

Mar 9, 2018 1:30 PM in response to my library In response to my library

Since I use several sites associated with Comodo I know about the certificate problem. It arises with new versions of macOS where there are major security changes. I simply watch for the error then choose to modify the certificate in which I set the Always Trust as the default option. No more problems. But I am only one user. I do understand the nature of your problem for which I do not have a suitable solution given that these are all networked computers.

Mar 9, 2018 1:30 PM

Reply Helpful

Mar 9, 2018 1:35 PM in response to Kappy In response to Kappy

Thanks tho your info gave me a good direction to research and I have a prospective set of command lines to test.

About command line loading of certificates for all users but not authorities need to test

https://apple.stackexchange.com/questions/80623/import-certificates-into-the-sys tem-keychain-via-the-command-line


sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <certificate>

https://derflounder.wordpress.com/2011/03/13/adding-new-trusted-root-certificate s-to-system-keychain/

Mar 9, 2018 1:35 PM

Reply Helpful
User profile for user: my library

Question: how do I update list of trusted root certificate authorities