Last active
May 9, 2026 04:14
-
-
Save dcode/2fcac5735c6812ea8c25798ff38224b7 to your computer and use it in GitHub Desktop.
Install and trust DoD CA certificates on Mac OS X. Tested on Catalina and Mojave. *NOTE*: This should also enable CAC if you didn't override the system drivers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -eu -o pipefail | |
| export CERT_URL='https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip' | |
| # Download & Extract DoD root certificates | |
| cd ~/Downloads/ || exit 1 | |
| /usr/bin/curl -LOJ "${CERT_URL}" | |
| /usr/bin/unzip -o "$(basename "${CERT_URL}")" | |
| cd "$(/usr/bin/zipinfo -1 "$(basename "${CERT_URL}")" | /usr/bin/awk -F/ '{ print $1 }' | head -1)" || exit 1 | |
| # Convert .p7b certs to straight pem and import | |
| for item in *.p7b; do | |
| TOPDIR=$(pwd) | |
| TMPDIR=$(mktemp -d "/tmp/$(basename "${item}" .p7b).XXXXXX") || exit 1 | |
| PEMNAME=$(basename "${item}" .p7b) | |
| openssl pkcs7 -print_certs -in "${item}" -inform der -out "${TMPDIR}/${PEMNAME}" | |
| cd "${TMPDIR}" | |
| /usr/bin/split -p '^$' "${PEMNAME}" | |
| rm "$(find . -name "x*" | sort | tail -1)" | |
| for cert in x??; do | |
| sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${cert}" | |
| done | |
| cd "${TOPDIR}" | |
| rm -rf "${TMPDIR}" | |
| done |
Author
When running this a device running on macOS Sonoma 14.5 it was able to successfully import only the Root CA certificates and all other intermediate CA certs show as not trusted. I have resolved this by filtering through the certs by their CN (I know probably not the best way, but it works) and importing the Root CA certs with the resultType of trustRoot (this is what was done for all of the certs previously) and importing the Intermediate CA certs with the resultType of TrustAsRoot. Here is the adjusted script for this:
#!/bin/bash
set -eu -o pipefail
export CERT_URL='https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip'
# Download & Extract DoD root certificates
cd /Users/Shared || exit 1
/usr/bin/curl -LOJ "${CERT_URL}"
/usr/bin/unzip -o "$(basename "${CERT_URL}")"
cd "$(/usr/bin/zipinfo -1 "$(basename "${CERT_URL}")" | /usr/bin/awk -F/ '{ print $1 }' | head -1)" || exit 1
# Convert .p7b certs to straight pem and import
for item in *.p7b; do
TOPDIR=$(pwd)
TMPDIR=$(mktemp -d "/tmp/$(basename "${item}" .p7b).XXXXXX") || exit 1
PEMNAME=$(basename "${item}" .p7b)
openssl pkcs7 -print_certs -in "${item}" -inform der -out "${TMPDIR}/${PEMNAME}"
cd "${TMPDIR}"
/usr/bin/split -p '^$' "${PEMNAME}"
rm "$(find . -name "x*" | sort | tail -1)"
for cert in x??; do
CERTCN="$(openssl x509 -noout -subject -in ${cert} | sed -n '/^subject/s/^.*CN=//p')"
if [[ "${CERTCN}" == *"DoD Root CA"* ]]; then
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${cert}"
echo "${CERTCN} has been added as a trusted Root CA to the system certificate keychain."
elif [[ "${CERTCN}" == *"DOD"* ]] && [[ "${CERTCN}" != *"DoD Root CA"* ]]; then
sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "${cert}"
echo "${CERTCN} has been added as a trusted CA to the system certificate keychain."
else
echo "The certificate with the common name ${CERTCN} is not a DoD CA cert."
fi
done
cd "${TOPDIR}"
rm -rf "${TMPDIR}"
done
Thanks @Crimsonize and @dcode, it worked great.
anyone tried this on Tahoe? not working for me
What issues are you experiencing? There is a known issue that requires
you to continue to use TouchID/re-enter password for each cert. Are
you able to execute the script?
…On Fri, May 8, 2026 at 10:40 PM Jack ***@***.***> wrote:
@getcake commented on this gist.
________________________________
anyone tried this on Tahoe? not working for me
—
Reply to this email directly, view it on GitHub or unsubscribe.
You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS or Android.
@k10urzd lmao yeah that was my issue srry, all good now. i just ended up forcing my little brother tap my yubikey until it finished
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Added your updates @dinosaurhead and some linter goodness to make shellcheck happy. Thanks for the input.