MacOS shell script to install a new root CA and intermediate CAs

install-corp-ca-macos.sh

#!/bin/bash

# Ensure the script is run as root
((EUID != 0)) && exec sudo -- "$0" "$@"
cd /tmp/ &>/dev/null
clear

# Define the certificate URL and fingerprint
crturl="https://scriptops.corp/CertEnroll/"
rootfingerprint="00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF"
rootcrtfile="Corporate Root CA.crt"

# Define the list of intermediate certificates
declare -a crtfilelist
crtfilelist=("Corporate Intermediate CA 2.crt" "Corporate Intermediate CA 1.crt")

# Download the root certificate
curl -# --url "$crturl${rootcrtfile// /%20}" -k -o "$rootcrtfile"

# Compare the expected and downloaded certificate fingerprints
diff -as --label "Expected CA Fingerprint" \
	<(echo "SHA256 Fingerprint=$rootfingerprint") \
	--label "Downloaded CA Fingerprint" \
	<(openssl x509 -noout -in "./$rootcrtfile" -fingerprint -sha256)

# Check if the fingerprints match
if [ $? -ne 0 ]; then
	echo "Downloaded certificate fingerprint mismatch!"
	cd - &>/dev/null
	sudo -k
	rm "$rootcrtfile"
	exit 1
fi

# Add the root certificate to the system keychain
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$rootcrtfile"

# Download and add each intermediate certificate to the system keychain
for crtfile in "${crtfilelist[@]}"; do
	curl -# --url "$crturl${crtfile// /%20}" -k -o "$crtfile"
	security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "$crtfile"
done
# 
cd - &>/dev/null
sudo -k
exit 0

Details:auto-install-private-ca-chain-on-macos