https://github.com/jtauschl/moz-certs-mobileconfig
Generate and optionally sign a macOS/iOS .mobileconfig profile from Mozilla's trusted root certificates.
https://github.com/jtauschl/moz-certs-mobileconfig
automation ca-bundle certificates curl ios macos mobileconfig mozilla nss security
Last synced: 3 months ago
JSON representation
Generate and optionally sign a macOS/iOS .mobileconfig profile from Mozilla's trusted root certificates.
- Host: GitHub
- URL: https://github.com/jtauschl/moz-certs-mobileconfig
- Owner: jtauschl
- License: mit
- Created: 2026-03-05T23:58:40.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2026-03-18T17:51:38.000Z (4 months ago)
- Last Synced: 2026-03-19T07:18:54.560Z (4 months ago)
- Topics: automation, ca-bundle, certificates, curl, ios, macos, mobileconfig, mozilla, nss, security
- Language: Shell
- Homepage:
- Size: 364 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# moz-certs-mobileconfig
Keeps macOS and iOS devices up to date with Mozilla's trusted root certificates —
useful for systems that no longer receive Apple's own certificate updates.
The generator downloads Mozilla's CA bundle from [curl.se/ca/](https://curl.se/ca/),
builds a signed or unsigned `.mobileconfig` profile, and skips regeneration if
the bundle hasn't changed (SHA-256 check against the existing profile).
A pre-built unsigned profile is published automatically every week via GitHub Actions
and can be installed directly from [jtauschl.github.io/moz-certs-mobileconfig](https://jtauschl.github.io/moz-certs-mobileconfig/).
## Usage
```bash
./generate.sh # unsigned – no certificate required
./generate.sh -s|--signed # sign with Apple Developer cert from Keychain
./generate.sh -f|--force # skip SHA change check, always regenerate
```
Flags can be combined: `./generate.sh --signed --force`
The output is written to `dist/moz-certs.mobileconfig`. When signing, the
certificate is auto-detected from the Keychain and the script accepts either
an `Apple Development` or `Developer ID Application` identity. Set
`SIGNING_IDENTITY` in `generate.sh` to pin a specific certificate. Unsigned
profiles install with a "Not Verified" warning but are otherwise functional.
## Installation on macOS
Open `dist/moz-certs.mobileconfig`. macOS will prompt to install the profile
under System Settings → Privacy & Security → Profiles.
## Installation on iOS
Transfer or host `dist/moz-certs.mobileconfig` so it opens in Safari on iOS.
The profile can then be installed under Settings → General → VPN & Device
Management.
## Requirements
- `curl`, `openssl`, `python3`, `perl` (`shasum`), Internet access to curl.se
- macOS — required for `--signed` (`security` and Keychain access are Apple-only)
- Apple signing certificate in Keychain — only required for `--signed`
Unsigned profile generation works on Linux as well.
## Configuration
The signing certificate is detected automatically from the Keychain.
To pin a specific certificate, set `SIGNING_IDENTITY` at the top of `generate.sh`.
## License
Scripts: [MIT](LICENSE)
Certificate data: sourced from [Mozilla NSS](https://wiki.mozilla.org/CA) via
[curl.se/ca/](https://curl.se/ca/), licensed under
[MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/).