-
-
Save dcode/2fcac5735c6812ea8c25798ff38224b7 to your computer and use it in GitHub Desktop.
| export CERT_URL='https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DoD.zip' | |
| # Download & Extract DoD root certificates | |
| cd ~/Downloads/ | |
| /usr/bin/curl -LOJ ${CERT_URL} | |
| /usr/bin/unzip -o $(basename ${CERT_URL}) | |
| cd $(/usr/bin/zipinfo -1 $(basename ${CERT_URL}) | /usr/bin/awk -F/ '{ print $1 }' | head -1) | |
| # Convert pem.p7b certs to straight pem and import | |
| for item in *.pem.p7b; do | |
| TOPDIR=$(pwd) | |
| TMPDIR=$(mktemp -d /tmp/$(basename ${item} .p7b).XXXXXX) || exit 1 | |
| PEMNAME=$(basename ${item} .p7b) | |
| openssl pkcs7 -print_certs -in ${item} -out "${TMPDIR}/${PEMNAME}" | |
| cd ${TMPDIR} | |
| /usr/bin/split -p '^$' ${PEMNAME} | |
| rm $(ls x* | tail -1) | |
| for cert in x??; do | |
| sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ${cert} | |
| done | |
| cd ${TOPDIR} | |
| rm -rf ${TMPDIR} | |
| done |
Didn't see anything to avoid this, because it is painful providing the login so many times: https://developer.apple.com/forums/thread/671582
https://stackoverflow.com/questions/15673364/how-to-add-trusted-cert-on-a-mac-remotely-without-user-interaction
https://developer.apple.com/documentation/security/1399119-sectrustsettingssettrustsettings
Did not work as root either. :(
Unfortunately I think this is a measurement Apple put in place when modifying the trust store. The best I can offer is using TouchID many, many times if your system supports it.
They updated the cert URL to 'https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip' and the extension is changed to just .p7b so you need to update line 1 and line 11 to make this work again.
I've used this a few times, and greatly appreciate it!
Recently, the script will prompt me to enter my login for each certificate. Do you know if there is any way to remediate this?
Thank you!