How to specify policy constraint for certificates using OS X's "security add-trusted-cert" command? (for SSL web socket connection)

Question

I'm building an application that will connect to the user's web browser through a secure web socket (SSL). I'm using Websocketd to connect to the web socket, but that shouldn't matter.

Short version:

I really just need help using the add-trusted-cert command... and Apple's man pages really don't help at all if you haven't used this before. How can I add a certificate to the System Keychain and only set the SSL and Basic option to "Aways Trust"?

Long version:

I am generating self-signed certificates and passing them into Websocketd in order to connect to the web socket over SSL. No further steps are required for Firefox and Chrome... they just work with this. Safari however, doesn't trust my self-signed certificates, and I have to go into Keychain Access and add my certificate and change the Trust settings to "Use Custom Settings" with ONLY the SSL option and the X.509 Basic Policy option set to "Always Trust"... any other settings and Safari complains. I don't want my users to have to fiddle with certificates, so my solution was to add my certificate to the System Keychain using a post-install script. Like so:

sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.Keychain" "./certificate.cert"

This successfully adds the certificate to the user's System Keychain... but it sets all of the options to "Always Trust"... for some reason Safari doesn't like this and complains. Only when the SSL and X.509 Basic Policy options are set to Always Trust and the rest set to "No Value Specified" does Safari behave.

Okay so I checked out the man pages for the "security add-trusted-cert" and sure enough there is an option that you can pass in to only set certain options to "Always Trust"... so I came up with this:

sudo security add-trusted-cert -d -r trustRoot -p ssl -k "/Library/Keychains/System.Keychain" "./certificate.cert"

The result of the -p ssl option is that now my certificate gets added to the System Keychain with only the SSL option set to Always Trust... but the basic option isn't! If I replace ssl with basic I can set the basic option to Always Trust:

sudo security add-trusted-cert -d -r trustRoot -p basic -k "/Library/Keychains/System.Keychain" "./certificate.cert"

But this still doesn't solve my issue! I need BOTH set to Always Trust, and the other options left at "No Specified Value"... so I tried this:

sudo security add-trusted-cert -d -r trustRoot -p ssl & basic -k "/Library/Keychains/System.Keychain" "./certificate.cert"

But this doesn't work. I swear I've read all of Google on this subject and I can't find a single example of how to construct this command so that it accomplishes what I am describing. This link confirmed what I need to do but didn't actually provide an example command, and this link is searching the same answer I am... but nobody has replied with a suitable answer yet, and the accepted answer on this stackoverflow question is correct... but they just tell you what you need to do (I already know that), and don't tell you how to actually do it.

So again, how can I add a certificate to the System Keychain and only set the SSL and Basic option to "Aways Trust"?

Thank you!

Answer 1

After another frustrating session of trying to guess the correct command I finally stumbled on the answer, I'll share it here in case anyone needs it:

sudo security add-trusted-cert -d -r trustRoot -p ssl -p basic -s "localhost" -k "/Library/Keychains/System.Keychain" "./certificate.cert"

Note the solution is to simply add another -p flag followed by another constraint. In addition, it is probably wise to specify the policy string using the -s flag... in my case that's just the localhost.

I hope this proves useful! I was dumbfounded that such a routine task has virtually no documentation and no answers on stackoverflow.