MacOS – How to install subordinate CA certificate into keychain from Terminal

certificatekeychainmacosSecurityterminal

I'm a Windows engineer, setting up a Active Directory PKI, but know very little about Macs. I'm aware of how to install root certificates into the system keychain using:

sudo security add-trusted-cert -d -r trustRoot -k \Library\Keychains\System.keychain rootca.crt

However, I'm not too clear on how to install a subordinate CA's certificate (that was issued by the root CA).

Do I simply use the exact same command, or would i use add-certificates instead?

What is the difference between the resultypes: trustRoot, trustAsRoot, unspecified?

Best Answer

Since the subordinate CA's certificate is already "trusted" due to the root CA's cert being in the System Roots, you just need to use the add-certificates command, specifying the System keychain.

sudo security add-certificates -k /Library/Keychains/System.keychain your_cert_file

Related Solutions

IPad Mail client – IMAP with X.509 client certificates

The question appears to be specific to using X.509 for authentication to an IMAP service, which isn't supported by iOS. S/MIME email encryption and signatures can be performed on iOS, but the authentication to mail services will still use username/password over SSL or TLS.

MacOS – Extract Installer Package Signing Certificates from xip archive

I think it works with the following command:

xar --dump-toc="${HOME}/Desktop/header.xml" -f /path/to/your/archive.xip

This will write an xml file called "header" onto your desktop, and that one contains the X509 certificates. You only need to parse it; maybe jq will do the job best.

Edit: however, jq isn't native macOS, so it has to be with xmllint etc. This below works. It will put all certificates in your home folder.

FILEPATH="/path/to/your/archive.xip"
FILENAME=$(/usr/bin/basename "$FILEPATH")
/usr/bin/xar --dump-toc=- -f "$FILEPATH" \
    | /usr/bin/xmllint --xpath '//signature[@style="RSA"]' - \
    | /usr/bin/sed -n '/<X509Certificate>/,/<\/X509Certificate>/p' \
    | xargs \
        | /usr/bin/awk '{ \
                gsub("<X509Certificate>","-----BEGINCERTIFICATE-----"); \
                gsub("</X509Certificate>","-----ENDCERTIFICATE-----"); \
                print}' \
        | /usr/bin/awk '{gsub(" ","\n"); print}' \
        | /usr/bin/awk '{ \
                gsub("BEGINCERTIFICATE-----","BEGIN CERTIFICATE-----\n"); \
                gsub("-----ENDCERTIFICATE","\n-----END CERTIFICATE"); \ 
                print}' \
    | /usr/bin/csplit -k -s -n 1 -f "$FILENAME"-cert - '/END CERTIFICATE/+1' '{3}' 2>/dev/null
for CERT in *"-cert"* ; do
    if [[ $(/bin/cat "$CERT") == "" ]] ; then
        rm -rf "$CERT"
    else
        mv "$CERT" "$CERT.pem"
    fi
done

Best Answer

Related Solutions

IPad Mail client – IMAP with X.509 client certificates

MacOS – Extract Installer Package Signing Certificates from xip archive

Related Question