This is a quick fix I wrote for developers to install internal root and subordinate CAs. It pulls the root certificate from a web server, verifies the fingerprint, parses and downloads subordinates, and installs them in the MacOS keychain. It was intended to be run interactively at the command line, but also works well as a machine setup script.

The thumbprint verification is required to prevent malicious endpoints. Since the CA server is, in this case, is a windows CA server and signed by the same root, an insecure curl -k is used leaving the user open to a xITM attack. The thumbprint is a hash of the certificate with a very low probability of collision.

Tips

  • if your https endpoint is signed by a pre-installed MacOS CA, please remove -k from the curl command.

References