2011-09-07

Automate removing Diginotar CA certificate

Ed Marczak posted how to delete the untrustworthy Diginotar CA cert on his blog. Read about why you want to trash it at ComputerWeekly.com.

To make it easier for you to do the right thing and delete it on the machines you manage, here's a quick how to on automating it.

If you're using puppet to manage your Macs, just add this exec to one of your manifests.


  exec { "Eliminate untrustworthy DigiNotar CA.":
    command => "/usr/bin/security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain",
    onlyif => "/usr/bin/security find-certificate -c Diginotar  /System/Library/Keychains/SystemRootCertificates.keychain",
  }

If you're using another system management tool, here's how to make a package with the luggage that will delete the Diginotar cert when you install the pkg.

Download the luggage from github.

Create a Makefile with the following contents:

#
#   Copyright 2011 Joe Block
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#       You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.
#

include /usr/local/share/luggage/luggage.make

TITLE=nuke_diginotar_certificate
REVERSE_DOMAIN=net.unixorn
PAYLOAD=pack-script-postflight

Create a postflight script with the following contents:

#!/bin/bash
#
# Trash untrustworthy Diginotar root ca cert.
#
# See http://www.computerweekly.com/Articles/2011/08/30/247730/Microsoft-warns-of-fraudulent-digital-certificate-issued-by.htm
#
# and
#
# http://radiotope.com/content/remove-certificate
#
# for why.

/usr/bin/security find-certificate -c Diginotar  /System/Library/Keychains/SystemRootCertificates.keychain
if [ $? -eq 0 ];then
logger "Deleting Diginotar root cert from SystemRootCertificates.keychain"
/usr/bin/security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain
fi

The Makefile and postflight can be downloaded from the luggage-examples repo on github.

Drop the Makefile and postflight script into a new directory and sudo make pkg.

Now you have a pkg you can push with whatever system management software you're using for your Macintoshes.

Edit for clarity: This only deletes the Diginotar CA cert from the System keychain. It doesn't update Firefox/Opera/Chrome's caches, you'll need to update them separately.

Creative Commons License

This work is licensed under a Creative Commons License.
Copyright 2007-2010, Joseph P. Block, Some Rights Reserved.

Creative Commons Logo