cURL Root Certificates Update

What the cURL Certificate Update Worklet does

This Automox Worklet™ updates the root certificate bundle used by cURL and other SSL-dependent tools on macOS endpoints running Mojave (10.14) or earlier. The Worklet downloads the current certificate bundle from the LibreSSL project and replaces /etc/ssl/cert.pem, resolving certificate verification failures caused by expired root certificates.

The Worklet specifically addresses the Let's Encrypt root certificate expiration that affected older macOS systems. Systems running Catalina or later receive updated certificates through normal macOS updates and do not require this Worklet.

Why update cURL root certificates

Update failures occur silently, leaving endpoints vulnerable. The Let's Encrypt root certificate (DST Root CA X3) expired in September 2021, causing certificate verification failures on systems with outdated root certificate stores. Many HTTPS connections that worked previously began failing with SSL errors.

Older macOS versions no longer receive root certificate updates from Apple. This leaves systems vulnerable to connection failures as more certificates chain to newer roots not present in the outdated bundle.

Without updated certificates, endpoints may lose connectivity to the Automox API itself, preventing management operations. This Worklet restores connectivity and enables continued management of legacy macOS systems.

How certificate bundle update works

1. Evaluation phase: The Worklet checks the Darwin kernel version to identify the macOS release. Systems running Darwin 19 or later (Catalina+) exit as compliant. For older systems, the Worklet checks the certificate bundle version in /etc/ssl/cert.pem. If the version is 1.24 or later, the system is compliant.

2. Remediation phase: The Worklet downloads the latest cert.pem from the LibreSSL OpenBSD repository using curl. It backs up the existing certificate file to /etc/ssl/cert.BAK, replaces it with the downloaded file, and tests connectivity to api.automox.com using openssl s_client to verify the fix.

cURL certificate update requirements

• macOS Mojave (10.14), High Sierra (10.13), or earlier

• Internet connectivity to download the certificate bundle from GitHub

• Administrative privileges for writing to /etc/ssl/

Expected SSL connectivity after update

After running, cURL and other tools using /etc/ssl/cert.pem for SSL verification can connect to HTTPS resources protected by modern certificates. The Worklet verifies successful connectivity to api.automox.com before completing. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

The original certificate file is preserved at /etc/ssl/cert.BAK if rollback is needed. Commands like curl, git, and pip that previously failed with certificate errors should now work correctly.

How to validate curl root certificates update changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for curl root certificates update.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as exit, else, function, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for curl root certificates update. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as exit, else, function. Use these indicators to verify that endpoint changes match intended policy outcomes.