Install and trust DoD CA certificates on Mac OS X. Tested on Catalina and Mojave. *NOTE*: This should also enable CAC if you didn't override the system drivers.

import_dod_certs_mac.sh

#!/bin/bash 

set -eu -o pipefail

export CERT_URL='https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip'

# Download & Extract DoD root certificates
cd ~/Downloads/ || exit 1
/usr/bin/curl -LOJ "${CERT_URL}"

/usr/bin/unzip -o "$(basename "${CERT_URL}")"

cd "$(/usr/bin/zipinfo -1 "$(basename "${CERT_URL}")" | /usr/bin/awk -F/ '{ print $1 }' | head -1)" || exit 1

# Convert .p7b certs to straight pem and import
for item in *.p7b; do
  TOPDIR=$(pwd)
  TMPDIR=$(mktemp -d "/tmp/$(basename "${item}" .p7b).XXXXXX") || exit 1
  PEMNAME=$(basename "${item}" .p7b)
  openssl pkcs7 -print_certs -in "${item}" -inform der -out "${TMPDIR}/${PEMNAME}"
  cd "${TMPDIR}"
  /usr/bin/split -p '^$' "${PEMNAME}"
  rm "$(find . -name "x*" | sort | tail -1)"
  for cert in x??; do
    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${cert}"
  done
  
  cd "${TOPDIR}"
  rm -rf "${TMPDIR}"
done

I've used this a few times, and greatly appreciate it!

Recently, the script will prompt me to enter my login for each certificate. Do you know if there is any way to remediate this?

Thank you!

Didn't see anything to avoid this, because it is painful providing the login so many times: https://developer.apple.com/forums/thread/671582
https://stackoverflow.com/questions/15673364/how-to-add-trusted-cert-on-a-mac-remotely-without-user-interaction
https://developer.apple.com/documentation/security/1399119-sectrustsettingssettrustsettings

Did not work as root either. :(

Unfortunately I think this is a measurement Apple put in place when modifying the trust store. The best I can offer is using TouchID many, many times if your system supports it.

They updated the cert URL to 'https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip' and the extension is changed to just .p7b so you need to update line 1 and line 11 to make this work again.

Needs to be updated. This is working. Wasn't sure if there was a way to submit a PR against a GIST

export CERT_URL='https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip'

# Download & Extract DoD root certificates
cd ~/Downloads/
/usr/bin/curl -LOJ ${CERT_URL}

/usr/bin/unzip -o $(basename ${CERT_URL})

cd $(/usr/bin/zipinfo -1 $(basename ${CERT_URL}) | /usr/bin/awk -F/ '{ print $1 }' | head -1)

# Convert .p7b certs to straight pem and import
for item in *.p7b; do
  TOPDIR=$(pwd)
  TMPDIR=$(mktemp -d /tmp/$(basename ${item} .p7b).XXXXXX) || exit 1
  PEMNAME=$(basename ${item} .p7b)
  openssl pkcs7 -print_certs -in ${item} -inform der -out "${TMPDIR}/${PEMNAME}"
  cd ${TMPDIR}
  /usr/bin/split -p '^$' ${PEMNAME}
  rm $(ls x* | tail -1)
  for cert in x??; do
    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ${cert}
  done
  
  cd ${TOPDIR}
  rm -rf ${TMPDIR}
done

Added your updates @dinosaurhead and some linter goodness to make shellcheck happy. Thanks for the input.

When running this a device running on macOS Sonoma 14.5 it was able to successfully import only the Root CA certificates and all other intermediate CA certs show as not trusted. I have resolved this by filtering through the certs by their CN (I know probably not the best way, but it works) and importing the Root CA certs with the resultType of trustRoot (this is what was done for all of the certs previously) and importing the Intermediate CA certs with the resultType of TrustAsRoot. Here is the adjusted script for this:

#!/bin/bash 

set -eu -o pipefail

export CERT_URL='https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip'

# Download & Extract DoD root certificates
cd /Users/Shared || exit 1
/usr/bin/curl -LOJ "${CERT_URL}"

/usr/bin/unzip -o "$(basename "${CERT_URL}")"

cd "$(/usr/bin/zipinfo -1 "$(basename "${CERT_URL}")" | /usr/bin/awk -F/ '{ print $1 }' | head -1)" || exit 1

# Convert .p7b certs to straight pem and import
for item in *.p7b; do
  TOPDIR=$(pwd)
  TMPDIR=$(mktemp -d "/tmp/$(basename "${item}" .p7b).XXXXXX") || exit 1
  PEMNAME=$(basename "${item}" .p7b)
  openssl pkcs7 -print_certs -in "${item}" -inform der -out "${TMPDIR}/${PEMNAME}"
  cd "${TMPDIR}"
  /usr/bin/split -p '^$' "${PEMNAME}"
  rm "$(find . -name "x*" | sort | tail -1)"
  for cert in x??; do
    CERTCN="$(openssl x509 -noout -subject -in ${cert} | sed -n '/^subject/s/^.*CN=//p')"
    if [[ "${CERTCN}" == *"DoD Root CA"* ]]; then
      sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${cert}"
      echo "${CERTCN} has been added as a trusted Root CA to the system certificate keychain."
    elif [[ "${CERTCN}" == *"DOD"* ]] && [[ "${CERTCN}" != *"DoD Root CA"* ]]; then
      sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "${cert}"
      echo "${CERTCN} has been added as a trusted CA to the system certificate keychain."
    else
      echo "The certificate with the common name ${CERTCN} is not a DoD CA cert."
    fi
  done
  
  cd "${TOPDIR}"
  rm -rf "${TMPDIR}"
done

Thanks @Crimsonize and @dcode, it worked great.