Root cert import & trust in Leopard

[gilburns]

Does anyone know if there is a way to specify the trust of a certificate in Leopard through the command line?

Perviously under Tiger you could use certtool to import the root cert into the X509Anchors, Under Leopard Apple says they should go into the System.keychain. If I import the cert into the SystemRootCertificates.keychain or the System.keychain with certtool, it remains untrusted. I need to be able to change the trust in addition to importing it.

Thanks!

[gilburns]

Answering my own question.

The security command-line tool has additional options on Leopard.

To add an additional root cert do this:

/usr/bin/security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” “/path/to/your/rootcert.pem”

To add an intermediate/issuing cert do this:

/usr/bin/security add-trusted-cert -d -r trustAsRoot -k “/Library/Keychains/System.keychain” “/path/to/your/issuingcert.pem”

[khiltd]

I’ve found the security tool to be broken to the point of nigh-uselessness on Leopard. It almost seems as though it was not updated to support any of the new features of Security.framework and is still heavily reliant upon now deprecated functions.

[Author]

Posts