macOS - Security- Create System Certificate Bundle

What the Certificate Bundle Configuration Worklet does

This Automox Worklet™ extracts root certificates from the macOS System Keychain and SystemRootCertificates keychain, consolidates them into a single cabundle.pem file at /opt/proxy/, and configures environment variables that direct applications to use this bundle for SSL/TLS verification.

The Worklet sets the following environment variables in global shell configuration files (/etc/bashrc, /etc/zshrc, /etc/profile): REQUESTS_CA_BUNDLE, WEBSOCKET_CLIENT_CA_BUNDLE, NODE_EXTRA_CA_CERTS, AWS_CA_BUNDLE, SSL_CERT_FILE, and CURL_CA_BUNDLE. This provides SSL certificate trust for Python requests, websocket clients, Node.js, AWS CLI, OpenSSL, and cURL.

Why configure a centralized certificate bundle

Organizations using SSL inspection proxies need applications to trust the proxy's certificate authority. Without proper configuration, applications fail with SSL verification errors when accessing HTTPS resources. A centralized certificate bundle provides a single location to manage trusted certificates for all affected applications.

Development environments often encounter SSL issues when tools cannot locate system certificates. This Worklet standardizes certificate handling across your macOS fleet, reducing support tickets related to SSL errors in pip, npm, curl, and similar tools.

The Worklet optionally supports adding custom certificates to the bundle, useful for internal certificate authorities or self-signed certificates used in development or staging environments.

How certificate bundle configuration works

1. Evaluation phase: The Worklet checks for the existence of the certificate bundle at /opt/proxy/cabundle.pem and verifies that the required environment variables are defined in /etc/bashrc, /etc/zshrc, and /etc/profile. If any component is missing, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet uses the security command to export all certificates from the System and SystemRootCertificates keychains in PEM format. It creates the /opt/proxy/ directory, writes the cabundle.pem file, and appends export statements for each environment variable to the global shell configuration files.

Certificate bundle configuration requirements

• macOS endpoint (workstation or server)

• Administrative privileges for creating /opt/proxy/ and modifying /etc shell configuration files

• Optional: Custom certificates to append to the bundle (configure tmp_certs array in the script)

Expected SSL configuration state

After running, the cabundle.pem file exists at /opt/proxy/ containing all system root certificates. New shell sessions inherit the SSL environment variables, directing applications to use the consolidated bundle for certificate verification. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

Applications that previously failed SSL verification through a proxy or with custom certificates should now connect successfully. Users may need to start a new terminal session or log out and back in for the environment variables to take effect.

How to validate mac - security- create system certificate bundle changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for mac - security- create system certificate bundle.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as set, exit.

4. Validate remediation effects from script operations such as set, umask, security, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for mac - security- create system certificate bundle. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as set, exit and remediation operations such as set, umask, security. Use these indicators to verify that endpoint changes match intended policy outcomes.