Import CA certificate into Chrome via command line

Is it possible to import a custom Certificate Authority (.crt) using Terminal or over SSH on macOS 10.13 High Sierra?


Solution 1:

In MacOS (High Sierra), is it possible to import a custom Certificate Authority (.crt) using Terminal or over SSH?

Yes, it is.

Add a certificate with Terminal

Chrome uses the System keychain certificate store. To add a CA certificate locally, launch Terminal and run this command (I've broken it down into several lines to make it more readable, but the command is fully functional):

sudo security add-trusted-cert \
-k /Library/Keychains/System.keychain \
-d /path/to/CAcertificate.crt

where:

sudo runs the command that follows with administrative privileges (type your login password when requested)

security is a utility to manipulate keychains

-k specifies which keychain to use (run security list-keychains to get a list of available keychains). Note that new root certificates should be added to the login keychain for the current user, or to the System keychain if they are to be shared by all users of this machine, because the System Roots keychain cannot be modified. In the example above, I use the System keychain.

-d adds the certificate to the admin cert store (so that the user doesn't have to authenticate via an authentication dialog)

/path/to/CAcertificate.crt is the path to your CA certificate. The command accepts ASCII (PEM) and binary (DER) certificates.

(See man security for more information.)

Add a certificate over SSH

To add a CA certificate over SSH, use this command:

ssh -t -t <username>@<remote computer> \
'sudo bash -c "security add-trusted-cert \
-k /Library/Keychains/System.keychain \
-d <(echo \"<your CA certificate in PEM format>\")"'

where:

<your CA certificate in PEM format> are the contents of /path/to/CAcertificate.crt in PEM format (see below for an example).

Note that in this case you will have to type the password of <username> twice: once for logging in over ssh and once to run sudo on the remote system.

Example

Before importing your CA certificate, Chrome will display a "NET::ERR_CERT_AUTHORITY_INVALID" error because the CA certificate is not trusted:

enter image description here

Let's say you store your CA certificate in /tmp/SelfSignedCertRootCA.crt with contents:

-----BEGIN CERTIFICATE-----
MIIFVjCCAz4CCQCT7ycH41qc8jANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJD
SDEOMAwGA1UECAwFQmFzZWwxDjAMBgNVBAcMBUJhc2VsMR0wGwYDVQQKDBRTZWxm
U2lnbmVkQ2VydCwgSW5jLjEfMB0GA1UEAwwWU2VsZlNpZ25lZENlcnQgUm9vdCBD
QTAeFw0xODA5MzAxMDI1MDhaFw0yODA5MjcxMDI1MDhaMG0xCzAJBgNVBAYTAkNI
MQ4wDAYDVQQIDAVCYXNlbDEOMAwGA1UEBwwFQmFzZWwxHTAbBgNVBAoMFFNlbGZT
aWduZWRDZXJ0LCBJbmMuMR8wHQYDVQQDDBZTZWxmU2lnbmVkQ2VydCBSb290IENB
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy2niOUehGbYdMwg+z7Gx
9I7IefjJS2zVcYzJSHYiL4LhBUDLl0E4QmsOfOuaNP0q1wvhRQAgCC0ZsXVeofhM
DLEbPgdOc8ksBzH1UOboGw99/QsJ9fOs27r227uGKbXp2bstpNB2arl1rAw4litA
QFgfTHCbhVXognwBeUIPU/wZ5ddEmdAa8rt7PnKVSPabT9fXqnWIKOobLyaiB9XT
bd6dHruiqIIMHTCeB90lVdrrKRL0bZJVBj6KVR2yYY8x4xNaDoHS7OBkWkU+rp09
J5LfZJ38u+mA7FOEyxpIgkw5nGeZWdTzjzeio9/oEdfXyJq7PYT/ZskfFODFvBF+
e0Ro9WYbf5H61ywQjAvYW73rfLG8JthldMVu0rVONNl9+dn/bjl5cOicohMLlVkY
w18dIeNDbfsUVN19pfyjG5j0U9LgQ4LZAWkOqIfp8omrTyvXR3UuJhv41W97fXMZ
SZkVdJkbAtBdIGqgNPqxT+5HaeUIEbClDn6n3vOWIOR6kjYi+asGI9U8r29ar6Po
n7btjfNXE/JBUHw7CggKgJiHYXIpaAhUsztKNQSvbPK0g2I4NwtCKpRCiROKdCLC
VRHDJktArbzC9xqtYQ5aZDwFcZN0+5puhGrtUpbcWwmDku3BE4SsKeev5Yo+jgmU
lNi9ramgfGaPmWNGQXuOMA0CAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAtdaQzgOF
VbYPTvTYKa+XOyOwAfGnQhoVuoiC1WVq6y42y8Xh2L7pG95dY1a96rO5+Yzq9Ar5
g5dqbkajOnnIaoZYKu9koutc9flmsaaznR4psa5RX3Zyr3ICdTLrFnxNw+p9RFUJ
b0wQCuQ7b4qLxDzTdvQUiJS2FZMqDiSgmQ3wF6Utb5o7bSe13Y5szMGsc9eUaZfi
QUOm/kFVw/0iRssPsTjfPotLOZmMD5RLVFP5Es8zbU7U8W6z5MsBacMkYm8qCkEt
TIK40wQ29qcsZIxvGEJC1FcvuJBArYVtxm+C1mOVGaSbIxWg3zLE4KUEH1baFkr8
XidjLU3AVLzceJsmtLBDk2tVs9w7SLh1Hw7BEBPRWYyoP7rf0KYQ9ojjZ9UXO88q
802pQDLO6KqSl2BGKD/qei+alENOOVuTO4a6z0mUOrqYtgBJq2LqJRnHZChPdhNW
VJU0XCnSoPNVlv5zD8FVefo6nis9Yv3dNlZzCgFFy6YxGNGxHSCUpFlUV6w7HfVE
MYR4Y68XsZfNzB36/I6LMzab5RlPYJ/cy14HuWrrLNpmH5pRtiusKxxnWIYvHyv4
aUQ6Zs6TjWPk2zgxN4FtyAcslqBrymvYTsItPRYwh5tSBGucCm2RkJypRuOfwxZS
1XG7W3dXrGkrD32aRgJa4vNyLIIdQp1M7ag=
-----END CERTIFICATE-----

Import it locally to Chrome with this command:

sudo security add-trusted-cert \
-k /Library/Keychains/System.keychain \
-d /tmp/SelfSignedCertRootCA.crt

or over SSH (in the example below, to a remote system with IP address 172.16.96.141) with this command:

ssh -t -t [email protected] \
'sudo bash -c "security add-trusted-cert \
-k /Library/Keychains/System.keychain \
-d <(echo \"-----BEGIN CERTIFICATE-----
MIIFVjCCAz4CCQCT7ycH41qc8jANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJD
SDEOMAwGA1UECAwFQmFzZWwxDjAMBgNVBAcMBUJhc2VsMR0wGwYDVQQKDBRTZWxm
U2lnbmVkQ2VydCwgSW5jLjEfMB0GA1UEAwwWU2VsZlNpZ25lZENlcnQgUm9vdCBD
QTAeFw0xODA5MzAxMDI1MDhaFw0yODA5MjcxMDI1MDhaMG0xCzAJBgNVBAYTAkNI
MQ4wDAYDVQQIDAVCYXNlbDEOMAwGA1UEBwwFQmFzZWwxHTAbBgNVBAoMFFNlbGZT
aWduZWRDZXJ0LCBJbmMuMR8wHQYDVQQDDBZTZWxmU2lnbmVkQ2VydCBSb290IENB
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy2niOUehGbYdMwg+z7Gx
9I7IefjJS2zVcYzJSHYiL4LhBUDLl0E4QmsOfOuaNP0q1wvhRQAgCC0ZsXVeofhM
DLEbPgdOc8ksBzH1UOboGw99/QsJ9fOs27r227uGKbXp2bstpNB2arl1rAw4litA
QFgfTHCbhVXognwBeUIPU/wZ5ddEmdAa8rt7PnKVSPabT9fXqnWIKOobLyaiB9XT
bd6dHruiqIIMHTCeB90lVdrrKRL0bZJVBj6KVR2yYY8x4xNaDoHS7OBkWkU+rp09
J5LfZJ38u+mA7FOEyxpIgkw5nGeZWdTzjzeio9/oEdfXyJq7PYT/ZskfFODFvBF+
e0Ro9WYbf5H61ywQjAvYW73rfLG8JthldMVu0rVONNl9+dn/bjl5cOicohMLlVkY
w18dIeNDbfsUVN19pfyjG5j0U9LgQ4LZAWkOqIfp8omrTyvXR3UuJhv41W97fXMZ
SZkVdJkbAtBdIGqgNPqxT+5HaeUIEbClDn6n3vOWIOR6kjYi+asGI9U8r29ar6Po
n7btjfNXE/JBUHw7CggKgJiHYXIpaAhUsztKNQSvbPK0g2I4NwtCKpRCiROKdCLC
VRHDJktArbzC9xqtYQ5aZDwFcZN0+5puhGrtUpbcWwmDku3BE4SsKeev5Yo+jgmU
lNi9ramgfGaPmWNGQXuOMA0CAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAtdaQzgOF
VbYPTvTYKa+XOyOwAfGnQhoVuoiC1WVq6y42y8Xh2L7pG95dY1a96rO5+Yzq9Ar5
g5dqbkajOnnIaoZYKu9koutc9flmsaaznR4psa5RX3Zyr3ICdTLrFnxNw+p9RFUJ
b0wQCuQ7b4qLxDzTdvQUiJS2FZMqDiSgmQ3wF6Utb5o7bSe13Y5szMGsc9eUaZfi
QUOm/kFVw/0iRssPsTjfPotLOZmMD5RLVFP5Es8zbU7U8W6z5MsBacMkYm8qCkEt
TIK40wQ29qcsZIxvGEJC1FcvuJBArYVtxm+C1mOVGaSbIxWg3zLE4KUEH1baFkr8
XidjLU3AVLzceJsmtLBDk2tVs9w7SLh1Hw7BEBPRWYyoP7rf0KYQ9ojjZ9UXO88q
802pQDLO6KqSl2BGKD/qei+alENOOVuTO4a6z0mUOrqYtgBJq2LqJRnHZChPdhNW
VJU0XCnSoPNVlv5zD8FVefo6nis9Yv3dNlZzCgFFy6YxGNGxHSCUpFlUV6w7HfVE
MYR4Y68XsZfNzB36/I6LMzab5RlPYJ/cy14HuWrrLNpmH5pRtiusKxxnWIYvHyv4
aUQ6Zs6TjWPk2zgxN4FtyAcslqBrymvYTsItPRYwh5tSBGucCm2RkJypRuOfwxZS
1XG7W3dXrGkrD32aRgJa4vNyLIIdQp1M7ag=
-----END CERTIFICATE-----\")"'

Now reload the site. The error is gone:

enter image description here

and the certificate is listed in the System keychain:

enter image description here