Menu
I have generated a certificate in pfx format in Mac os X and imported it into system keychain using:
sudo security import server.pfx -k /Library/Keychains/System.keychain -P foobar
The problem is that all trusts are set to no value specified.
How can I set trust for code signing to Always trust using command line.
823
Once it is open, navigate to the new certificate by selecting Certificates on the left side menu, then finding the certificate in the list. Once you have found the certificate, double click the certificate to load the details. Mark this as "Always Trust".
If the certificate doesn't seem to be immediately trusted – for example, you're receiving warnings or errors attempting to access resources – reopen "Keychain Access." Right-click the certificate and click "Get Info." Open the "Trust" menu, and under "When Using This Certificate," check "Always Trust."
You will face a root certificate not trusted error if the Securly SSL certificate is not installed on your macOS X. To stop receiving the error you would, therefore, need to install the SSL certificate. Navigate to Finder > Applications > Utilities > Keychain Access.
If you want to turn on SSL/TLS trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate. Apple recommends deploying certificates via Apple Configurator or Mobile Device Management (MDM).
Here's what worked for me, it's very close to that traveling beard's answer. I'm using trustAsRoot instead of trustRoot.
With this change, in the Keychain Viewer, my cert now has "Always Trust" set. When I used trustRoot, the cert is added but with "Use System Default" set and the system default is to Never Trust.
sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain <certfile>
NOTE: The sudo will prompt for a password on the commandline and the gui will also prompt.
Nice, now I can import a dev cert on the command line with only a sudo passwd and not have to open that GUI!!
129
The -p option may be what you need. It can be specified more than once for each of the settings. I wish I knew how to deny one specific item while trusting another all in the same line.
sudo security add-trusted-cert -d -r trustRoot -p [option] -k /Library/Keychains/System.keychain <certificate>
-p options are ssl, smime, codeSign, IPSec, iChat, basic, swUpdate, pkgSign, pkinitClient, pkinitServer, timestamping, eap
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
