Programmatically installing a Root CA with "Always Trust" via LaunchDaemon for DLP agent

Question

Created 2d

Replies 3

Boosts 0

Participants 2

Hello,

I am working on a DLP (Data Leak Prevention) agent which must programmatically install our custom Root CA certificate into the System Keychain with the "Always Trust" policy. This is required for our network inspection module.

The installation process is currently handled by a LaunchDaemon. I am using the following command:

security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <path to certificate>

The certificate is successfully added to the System Keychain, but the "Always Trust" policy is completely ignored. The certificate remains untrusted until the user manually opens System Settings and explicitly changes the trust settings.

Our DLP agent is specifically designed for environment where MDM is not present and we can not rely on MDM to push profiles.

Is it officially possible to set "Always Trust" for certificate programmatically from a LaunchDaemon?

Thank you in advance!

Answered by DTS Engineer in 888498022

Is it officially possible to set "Always Trust" for certificate programmatically from a LaunchDaemon?

No.

Furthermore, it’s not possible to programmatically install a trusted anchor without user interaction. This isn’t a bug, but the result of a security hardened effort a few years back.

Our DLP agent is specifically designed for environment where MDM is not present …

MDM is the standard way around this. If you can’t rely on MDM then you’ll have to ask the user to approve the anchor.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

1d

Recommended

Is it officially possible to set "Always Trust" for certificate programmatically from a LaunchDaemon?

No.

Furthermore, it’s not possible to programmatically install a trusted anchor without user interaction. This isn’t a bug, but the result of a security hardened effort a few years back.

Our DLP agent is specifically designed for environment where MDM is not present …

MDM is the standard way around this. If you can’t rely on MDM then you’ll have to ask the user to approve the anchor.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

___Pavel___ OP

1d

Hello,

Thank you for response.

Is there any way to reset the "Always Trust" policy?

The following sequence of commands leads to installing a root CA with the "Always Trust" policy:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /<some path>/MyCertificate.cer
change policy to "Always Trust"
sudo security delete-certificate -c "MyCertificate.cer" /<some path>/MyCertificate.cer
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /<some path>/MyCertificate.cer

Result: the newly installed certificate is trusted after step 4.

Thank you for the help!

0

Answer 3

DTS Engineer OP

Apple

10h

Is there any way to reset the "Always Trust" policy?

These are known as trust settings and they have both a command-line and API presence.

On the command line, use various subcommands of the security tool:

% security | grep trust-settings
    dump-trust-settings                  Display contents of trust settings.
    user-trust-settings-enable           Display or manipulate user-level trust settings.
    trust-settings-export                Export trust settings.
    trust-settings-import                Import trust settings.

Programmatically, you have a bunch of Trust Settings APIs.

IMPORTANT Neither of these let you set up a trusted anchor without user approval. Or at least they shouldn’t (-: If you find a way to do that, lemme know and I’ll file a security bug about it!

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0