Last active
May 15, 2024 04:11
-
-
Save dcode/2fcac5735c6812ea8c25798ff38224b7 to your computer and use it in GitHub Desktop.
Install and trust DoD CA certificates on Mac OS X. Tested on Catalina and Mojave. *NOTE*: This should also enable CAC if you didn't override the system drivers.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -eu -o pipefail | |
export CERT_URL='https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip' | |
# Download & Extract DoD root certificates | |
cd ~/Downloads/ || exit 1 | |
/usr/bin/curl -LOJ "${CERT_URL}" | |
/usr/bin/unzip -o "$(basename "${CERT_URL}")" | |
cd "$(/usr/bin/zipinfo -1 "$(basename "${CERT_URL}")" | /usr/bin/awk -F/ '{ print $1 }' | head -1)" || exit 1 | |
# Convert .p7b certs to straight pem and import | |
for item in *.p7b; do | |
TOPDIR=$(pwd) | |
TMPDIR=$(mktemp -d "/tmp/$(basename "${item}" .p7b).XXXXXX") || exit 1 | |
PEMNAME=$(basename "${item}" .p7b) | |
openssl pkcs7 -print_certs -in "${item}" -inform der -out "${TMPDIR}/${PEMNAME}" | |
cd "${TMPDIR}" | |
/usr/bin/split -p '^$' "${PEMNAME}" | |
rm "$(find . -name "x*" | sort | tail -1)" | |
for cert in x??; do | |
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${cert}" | |
done | |
cd "${TOPDIR}" | |
rm -rf "${TMPDIR}" | |
done |
They updated the cert URL to 'https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip' and the extension is changed to just .p7b so you need to update line 1 and line 11 to make this work again.
Needs to be updated. This is working. Wasn't sure if there was a way to submit a PR against a GIST
export CERT_URL='https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip'
# Download & Extract DoD root certificates
cd ~/Downloads/
/usr/bin/curl -LOJ ${CERT_URL}
/usr/bin/unzip -o $(basename ${CERT_URL})
cd $(/usr/bin/zipinfo -1 $(basename ${CERT_URL}) | /usr/bin/awk -F/ '{ print $1 }' | head -1)
# Convert .p7b certs to straight pem and import
for item in *.p7b; do
TOPDIR=$(pwd)
TMPDIR=$(mktemp -d /tmp/$(basename ${item} .p7b).XXXXXX) || exit 1
PEMNAME=$(basename ${item} .p7b)
openssl pkcs7 -print_certs -in ${item} -inform der -out "${TMPDIR}/${PEMNAME}"
cd ${TMPDIR}
/usr/bin/split -p '^$' ${PEMNAME}
rm $(ls x* | tail -1)
for cert in x??; do
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ${cert}
done
cd ${TOPDIR}
rm -rf ${TMPDIR}
done
Added your updates @dinosaurhead and some linter goodness to make shellcheck happy. Thanks for the input.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Unfortunately I think this is a measurement Apple put in place when modifying the trust store. The best I can offer is using TouchID many, many times if your system supports it.