certsync @1.0.7: update-ca-certificates does not process custom CAs

[claviola (Carlos Laviola)]

I have custom root and intermediate CAs I've added to the OS X keychain that work fine with Safari, but are not added to the openssl certificate store. The only CAs that seem to be added are the ones that are part of "System Roots", which isn't modifiable. Besides checking the trust values of these CAs, I've also tried to put them in the local and system stores to no avail.

[landonf (Landon Fuller)]

The keychain UI can be buggy when it comes to adding CAs to the appropriate trust settings store.

Do your custom CAs show up if you run the following command?

security dump-trust-settings -d

If not, chances are they aren't in the admin trust settings. You could try adding them directly from the command line (untested!) via:

security add-trusted-cert -d <certfile>

[neverpanic (Clemens Lang)]

I think this has never worked due to a bug in certsync. Please try again after r124828.

[landonf (Landon Fuller)]

Unfortunately, having to support such ancient OS X releases has made maintaining and testing certsync a real headache :(

Replying to cal@…:

I think this has never worked due to a bug in certsync. Please try again after r124828.

Hrm; definitely worked for me, since I couldn't check anything out at work, etc, without a custom CA being included.

[neverpanic (Clemens Lang)]

I think my change fixed this. Assuming this is the case and closing due to lack of response from creator.