As Mark stated, use /usr/bin/security to perform all manipulation and management of keychains, Certs, Trust, etc.
"Certtool" is a legacy tool, not designed for this and one that would be deprecated in the future....
Kkeep in mind a few things about the Trust Models of 10.4 v 10.5:
Mac OS X 10.4 - Trust Model - X509Anchors Trusted Root Store from Apple and for your organizational Roots
- Apple Pre-populated with Trusted Roots
- ALL Roots that need to be Trusted MUST be in this keychain
- X509Certificates
- Apple Pre-populated Keychains with DoD Intermediate CA Certs (among others)
Three methods for Altering Trust Settings on 10.4: - On First Use (application specific)
- Keychain Access (Manual altering Trust)
- /usr/bin/security (MUST import Cert Chain -- Root:X509Anchors / Others:Any Keychain)
Mac OS X 10.5 - Trust Model - NOTE: X509Anchors is NO LONGER USED (but file exists)
- NOTE: X509Certificates is NO LONGER USED (file does not exist)
- System Provided Roots
- SystemRoots (Keychain) Trusted Root Store from Apple
- Apple Pre-populated with Trusted Roots
- Immutable (cannot add/delete) but can change Trust on those Roots
- Admin Provided Roots
- System (Keychain) System-based
- Set for All Users on that system
- Overrides System Trust Settings
- "Other Trusted Anchors"
- ANY User Keychain
- Overrides both System and Admin Trust Settings
- **IF** You allow it:
- $ security user-trust-settings-enable -h
- Usage: user-trust-settings-enable [-d] [-e]
- -d Disable user-level trust Settings
- -e Enable user-level trust Settings
- With no parameters, show current enable state of user-level trust settings.
- Display or manipulate user-level trust settings.
-
- $ security user-trust-settings-enable
- User-level Trust Settings are Enabled
Three methods for Altering Trust Settings on 10.5: - On First Use (application specific)
- Keychain Access (Manual altering Trust)
- /usr/bin/security (with import and setting of trust)
-Shawn
On Jun 12, 2009, at 6:39 AM, Mark Yannuzzi wrote:
Jared:
Use the following:
security add-trusted-cert -d -k /Library/Keychains/System.keychain -p basic -r trustRoot $ROOT_CERT
Replacing $ROOT_CERT with the pathe to your root certificate.
Mark
--
Mark Yannuzzi
Date: June 11, 2009 12:49:53 PM PDT
Subject: [Fed-Talk] Setting certificate trust
Hi-
Does anyone know a scriptable way to set certificate trust level? I’m automating the installation of our root CA onto managed macs and can successfully install them, I now just need to set trust level. I don’t see a way to do it with certtool on the command line.
Thanks
j --- Jared F. Nichols
|