Skip to content

Instantly share code, notes, and snippets.

@dcode

dcode/import_dod_certs_mac.sh

Last active May 15, 2024 04:11
Show Gist options
  • Save dcode/2fcac5735c6812ea8c25798ff38224b7 to your computer and use it in GitHub Desktop.
Save dcode/2fcac5735c6812ea8c25798ff38224b7 to your computer and use it in GitHub Desktop.
Download ZIP
Install and trust DoD CA certificates on Mac OS X. Tested on Catalina and Mojave. *NOTE*: This should also enable CAC if you didn't override the system drivers.
Raw
import_dod_certs_mac.sh
#!/bin/bash
set -eu -o pipefail
export CERT_URL='https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip'
# Download & Extract DoD root certificates
cd ~/Downloads/ || exit 1
/usr/bin/curl -LOJ "${CERT_URL}"
/usr/bin/unzip -o "$(basename "${CERT_URL}")"
cd "$(/usr/bin/zipinfo -1 "$(basename "${CERT_URL}")" | /usr/bin/awk -F/ '{ print $1 }' | head -1)" || exit 1
# Convert .p7b certs to straight pem and import
for item in *.p7b; do
TOPDIR=$(pwd)
TMPDIR=$(mktemp -d "/tmp/$(basename "${item}" .p7b).XXXXXX") || exit 1
PEMNAME=$(basename "${item}" .p7b)
openssl pkcs7 -print_certs -in "${item}" -inform der -out "${TMPDIR}/${PEMNAME}"
cd "${TMPDIR}"
/usr/bin/split -p '^$' "${PEMNAME}"
rm "$(find . -name "x*" | sort | tail -1)"
for cert in x??; do
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${cert}"
done
cd "${TOPDIR}"
rm -rf "${TMPDIR}"
done
@k10urzd
Copy link

k10urzd commented Mar 10, 2022

I've used this a few times, and greatly appreciate it!

Recently, the script will prompt me to enter my login for each certificate. Do you know if there is any way to remediate this?

Thank you!

@rac3rx
Copy link

rac3rx commented Apr 19, 2022

Didn't see anything to avoid this, because it is painful providing the login so many times: https://developer.apple.com/forums/thread/671582
https://stackoverflow.com/questions/15673364/how-to-add-trusted-cert-on-a-mac-remotely-without-user-interaction
https://developer.apple.com/documentation/security/1399119-sectrustsettingssettrustsettings

Did not work as root either. :(

@dcode
Copy link
Author

dcode commented Apr 19, 2022

Unfortunately I think this is a measurement Apple put in place when modifying the trust store. The best I can offer is using TouchID many, many times if your system supports it.

@dyn0m1ght
Copy link

They updated the cert URL to 'https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip' and the extension is changed to just .p7b so you need to update line 1 and line 11 to make this work again.

@dinosaurhead
Copy link

dinosaurhead commented May 9, 2024
edited
Loading

Needs to be updated. This is working. Wasn't sure if there was a way to submit a PR against a GIST

export CERT_URL='https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip'

# Download & Extract DoD root certificates
cd ~/Downloads/
/usr/bin/curl -LOJ ${CERT_URL}

/usr/bin/unzip -o $(basename ${CERT_URL})

cd $(/usr/bin/zipinfo -1 $(basename ${CERT_URL}) | /usr/bin/awk -F/ '{ print $1 }' | head -1)

# Convert .p7b certs to straight pem and import
for item in *.p7b; do
  TOPDIR=$(pwd)
  TMPDIR=$(mktemp -d /tmp/$(basename ${item} .p7b).XXXXXX) || exit 1
  PEMNAME=$(basename ${item} .p7b)
  openssl pkcs7 -print_certs -in ${item} -inform der -out "${TMPDIR}/${PEMNAME}"
  cd ${TMPDIR}
  /usr/bin/split -p '^$' ${PEMNAME}
  rm $(ls x* | tail -1)
  for cert in x??; do
    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ${cert}
  done
  
  cd ${TOPDIR}
  rm -rf ${TMPDIR}
done

@dcode
Copy link
Author

dcode commented May 15, 2024

Added your updates @dinosaurhead and some linter goodness to make shellcheck happy. Thanks for the input.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment