Ĩesky | english
HOWTO: Centrally manage cacert.org root certificates on Mac OS X
This document details how to script the process of importing the CAcert Root Certificates into the Mac OS X system wide root certificates keychain.
Operating system version differences
On Mac OS 10.5 this system wide keychain is called "SystemRootCertificates.keychain" and shows up in Keychain Access as "System Roots". On 10.4 and earlier it's called "X509Anchors" (no filename extension) and shows up as such in Keychain Access. The old file is still present on 10.5, but ignored and only remains for backwards compatibility with third party software. In all cases the system wide keychain files are located in /System/Library/Keychains The scripts below were written with 10.4 in mind. To update them for Leopard, substitute SystemRootCertificates.keychain for X509Anchors in all path names.
Motivation
Central management is nice. Distribute the modified X509Anchors file to a lab of workstations, and your internal services signed by cacert.org will just work on those machines.
Example
# copy me mkdir cacert.org cd cacert.org curl -k -o "root_X0F.crt" "https://www.cacert.org/certs/root_X0F.crt" curl -k -o "class3_x14E228.crt" "https://www.cacert.org/certs/class3_x14E228.crt" cp "/System/Library/Keychains/X509Anchors" "${HOME}/Library/Keychains/X509Anchors.backup" cp "/System/Library/Keychains/X509Anchors" "${HOME}/Library/Keychains/X509Anchors" # Install the cacert.org class 1 cert if it's fingerprint matches. if openssl x509 -noout -fingerprint < root_X0F.crt | \ grep "Fingerprint=DD:FC:DA:54:1E:75:77:AD:DC:A8:7E:88:27:A9:8A:50:60:32:52:A5" then certtool i "root_X0F.crt" k=X509Anchors fi # Install the cacert.org class 3 cert if it's fingerprint matches. if openssl x509 -noout -fingerprint < class3_x14E228.crt | \ grep "Fingerprint=D8:A8:3A:64:11:7F:FD:21:94:FE:E1:98:3D:D2:5C:7B:32:A8:FF:C8" then certtool i "class3_x14E228.crt" k=X509Anchors fi sudo cp "${HOME}/Library/Keychains/X509Anchors" "/System/Library/Keychains/X509Anchors" # end
Discussion
I use curl, with the -k option to disable verification of the SSL certificate. Checking the key fingerprint is sufficient, and importing the certificates into the curl rootca bundle is another document.
I then make two copies of the X509Anchors file into the directory that the vendor supplied certificate tools operate on by default.
Finally, I check the key fingerprints using the vendor supplied version of openssl and grep. You can verify the fingerprints yourself against http://www.cacert.org/index.php?id=3.
If grep matches successfully, I use the vendor supplied certtool utility to import both certificates into the X509Anchors user keychain.
Assuming all went well, I copy the keychain back into the system location. This freshly updated X509Anchors file might also be distributed to all hosts in the site network using a tool such as cfengine.
For a single OS X machine (or just a few) you can just import the DER versions of the root (root_X0F.der) and class 3 (class3_x14E228.der) certificates via the Keychain. Apple has instructions here, another instructions are here. More detailed instructions are available from Purdue.
Note after initial import the Keychain Access may report that the certificates are not in the trusted root. Just quit and relaunch Keychain Access and this issue should resolve itself.
Authors
Jeff McCune <mccune at math.ohio-state.edu> (original author)
KevinVanHaaren (note about certs not initially trusted)
NicholasShanks (updated for Leopard)