Recently I wrote a little chunk of code that grabs a CA certificate from a SCEP server, turns it into a SecCertificateRef and adds it to a keychain (either System or login). Now I'm wondering how I can get the system to trust that certificate. I've been playing around with Trust Policies but I haven't had much luck yet.
On top of this, I understand that the system may not allow you to automatically trust a certificate without user interaction. If that's the case, how do you kick off the interaction? Using "SecCertificateAddToKeychain" puts the certificate into the keychain silently.
Side note: I'm trying to support 10.5 with this code as well.
Thanks for any help!
Edit: After playing around with the code on the Citrix page I came up with my own function. From what I gathered from the Citix page, this method is destructive. So if the certificate is already in the keychain and already has policies (iChat, etc) this will overwrite those. Since I don't care about that in my project, here's a simpler version I came up with.
-(OSStatus) addCertificate: (CertificateWrapper *) cert trust:(BOOL) shouldTrust {
//keychain is a SecKeychainRef created with SecKeychainOpen
OSStatus result = SecCertificateAddToKeychain([cert certificate], keychain);
if((result == noErr || result == errKCDuplicateItem) && shouldTrust){
SecTrustSettingsDomain domains[3] = { kSecTrustSettingsDomainSystem, kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainUser};
for(int i = 0; i < 3; i++){
CFMutableArrayRef trustSettingMutArray = NULL;
trustSettingMutArray = CFArrayCreateMutable (NULL, 0, &kCFTypeArrayCallBacks);
result = SecTrustSettingsSetTrustSettings([cert certificate], domains[i], trustSettingMutArray );
if(result == noErr){
break;
}
}
}
return result;
}
There is a great example of how to do this on the Citrix web site with a ton of sample code.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.