Mac

Revoke Suspicious Certs on macOS

Mark suspicious certifications as not trusted on macOS.

Usage

Mark certifications not trusted on macOS:

1. Rebuild Trust Settings.
2. Import Trust Settings.
3. Test Trust Setting.
4. Review test result.

Import Trust Settings

./import-trust-settings.sh

This will merge new trust settings into existing settings. If you'd like to overwrite all existing settings, simply run:

sudo security trust-settings-import -d TrustSettings.plist

Test Trust Setting

./test-trust-settings.sh

This will test all urls found in test/test-url-list.txt. It will use curl by default.

To run the test with wget, you can set $TESTDRIVER environment variable.

TESTDRIVER=wget ./test-trust-settings.sh

Beware that wget must be built with Apple's SSL library to take effect of trust settings.

Rebuild Trust Settings

MODE=essential ./build-trust-settings.sh

This will rebuild trust settings using certificates in Severity.High.md.

MODE=recommend ./build-trust-settings.sh

This will rebuild trust settings using certificates in Severity.High.md and Severity.Medium.md. Default.

MODE=strict ./build-trust-settings.sh

This will rebuild trust settings using certificates in Severity.High.md, Severity.Medium.md and Severity.Low.md.

See Certificates/README.md for more details.

Reset Trust Settings

./libexec/security-trust-settings-merge SystemDefault.plist
sudo security trust-settings-import -d SystemDefault.plist

This will restore your trust settings to system default.

License

The security-trust-settings-tools included in this project is licensed under BSD 2-clause License.