unexpected results when importing trusted certificates using command line
| Originator: | petedonato | ||
| Number: | rdar://29271915 | Date Originated: | Nov 15 |
| Status: | Open | Resolved: | |
| Product: | macOS | Product Version: | 10.12.1 |
| Classification: | Bug | Reproducible: | Always |
Summary: I have created a package to distribute our internal PKI Root certificates to our internal Mac clients. The certificates are delivered as payloads to the local hard drive, the as a post install script, I am trying to import the certificate chain into the users keychain with specific trust settings. The command I am using to install the root cert is: security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db "/Users/Shared/Akamai/certs/akamaipkiroot.cer" then Im also importing the issuing cert using: security add-trusted-cert -d -r trustAsRoot -k ~/Library/Keychains/login.keychain-db "/Users/Shared/Akamai/certs/akamaipkiissuing.cer" Both certs get imported into the new login keychain, and the PKIRoot cert "appears" as "Always Trusted" but when I launch any apps or web sites that rely on the trusts, I am getting cert warnings that the cert can't be trusted. The only way to resolve the trust warnings are for me to delete the root cert from the keychain, then manually add it by importing it, and manually trusting it and authenticating thru the GUI. The OS does not seem to be respecting the security add-trusted-cert commands in Sierra, as it used to work in previous OSes. Steps to Reproduce: Delete the PKIRoot and PKIIssuing cert from Keychain Access.ap > login keychain execute script to import cert chain and trust settings. Package executes without errors. Open apps and web pages that rely on those certs, and get cert warnings that the cert and chain are not trusted. Manually change the trust settings for PKIRoot to "Not Trusted" thru GUI and save settings Manually change the trust settings for PKIRoot to "Always Trust" thru GUI and save settings Open apps and web pages that rely on those certs, and no longer see any cert warnings Expected Results: We've been using this package for years, with the expected result that when importing the root cert and issuing cert, they trusts are correct and allow us to connect to internal resources without certificate warnings. Again, the syntax we are using is: security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db "/Users/Shared/Akamai/certs/akamaipkiroot.cer" security add-trusted-cert -d -r trustAsRoot -k ~/Library/Keychains/login.keychain-db "/Users/Shared/Akamai/certs/akamaipkiissuing.cer" Actual Results: Since using 10.12 Sierra, the package and import commands no longer seem to be working as they were previously, therefore causing our Mac users to see certificate warnings when connecting to internal resources. We have to manually delete the certs, and manually change the trust settings thru the GUI for them to respect the trust settings Version: 10.12.1 Notes: Configuration: Since using 10.12 Sierra, the package and import commands no longer seem to be working as they were previously, therefore causing our Mac users to see certificate warnings when connecting to internal resources. We have to manually delete the certs, and manually change the trust settings thru the GUI for them to respect the trust settings Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!