deploy: mac os x: security import, control serveradmin /etc/certificates generation

[ProBackup-nl]

This is not a debug report, but a request for information.

I am importing new certs now manually and would like to automate on a Mac OS X server machine with serveradmin running.

I had a look at deploy/keychain.sh and use these commands:

$ sudo /usr/bin/security -v import fullchain.cer -k "/Library/Keychains/System.keychain"
$ sudo /usr/bin/security -v import host.domain.tld.cer -k "/Library/Keychains/System.keychain" -A

The result becomes immediately available in $ security find-identity -v -p ssl-server -s host.domain.tld output:

$ security find-identity -v -p ssl-server -s host.domain.tld
Looking for identities matching "host.domain.tld"
  1) A...1 "host.domain.tld"
  2) 1...3 "host.domain.tld"
     2 valid identities found

Where (1) is the old, and (2) is the new cert.

The issue is that I can't use $ sudo certupdate replace -c /etc/certificates/host.domain.tld.A...1.cert.pem -C /etc/certificates/host.domain.tld.1...3.cert.pem because these pem files do not exist there yet.

It takes 34-35 hours a reboot after security import , or till the next day 8:03 before the new pem files are generated in /etc/certificates

Who has ideas on how to control /etc/certificates generation on Mac OS X (Lion, 10.7) Server without reboot?

[kovacs-andras]

I know it's a really late answer but I solved the "waiting" part like: while [ ! -f /etc/certificates/mynew.cert.pem ]; do sleep 1; done I imported the new certs in a .p12 bundle. It usually took ~10sec to create / "disassemble" the new bundle into /etc/certificates.

[ProBackup-nl]

It turns out that Mac OS X not generating new /etc/certificates can be controlled with daemon /System/Library/LaunchDaemons/com.apple.UserEventAgent-System.plist (OS 10.7).