PKI Tutorials - Herong's Tutorial Examples

∟macOS Certificate Stores and Keychain Access

∟"security" Command for Keychains on macOS

This section provides a tutorial example on how to use the 'security' command to manage keychains on macOS computers.

macOS also offers command line interface called "security" for you to manage Keychains. Here are some examples on how to use the "security" command.

List existing keychains

herong$ security list-keychains 
    "/Users/herong/Library/Keychains/login.keychain-db"
    "/Library/Keychains/System.keychain"

Show the default keychain

herong$ security default-keychain
    "/Users/herong/Library/Keychains/login.keychain-db"

Create a new keychain

herong$ security create-keychain MyChain 
  password for new keychain: TopSecret
  retype password for new keychain: TopSecret

herong$ security show-keychain-info MyChain
  Keychain "MyChain" lock-on-sleep timeout=300s

Create a public-private key pair - It will be stored in a given keychain.

herong$ security create-keypair -k MyChain -a rsa -s 512 MyKey

Find and dump a key by name

herong$ security find-key -l MyKey MyChain 

keychain: "/Users/herong/Library/Keychains/test-db"
version: 512
class: 0x0000000F 
attributes:
    0x00000000 <uint32>=0x0000000F 
    0x00000001 <blob>="MyKey"
    0x00000002 <blob>=<NULL>
    0x00000003 <uint32>=0x00000001 
...

Search for certificates by keyword

herong$ security find-certificate -a -c VeriSign \
  /Library/Keychains/System.keychain

keychain: "/Library/Keychains/System.keychain"
version: 256
class: 0x80001000 
attributes:
    "alis"<blob>="VeriSign Class 3 Public Primary Certification ...
    "cenc"<uint32>=0x00000003 
    "ctyp"<uint32>=0x00000001 
    "hpky"<blob>=0x7FD365A7C2DDECBBF03009F34339FA02AF333133  "\1...
    "issu"<blob>=0x3081CA310B30090603550406130255533117301506035... 
    "labl"<blob>="VeriSign Class 3 Public Primary Certification ...
    "skid"<blob>=0x7FD365A7C2DDECBBF03009F34339FA02AF333133  "\1...
    "snbr"<blob>=0x18DAD19E267DE8BB4A2158CDCC6B3B4A  "\030\332\3...
    "subj"<blob>=0x3081CA310B30090603550406130255533117301506035... 
...

Export the first certificates by keyword

herong$ security find-certificate -c VeriSign -p \
  /Library/Keychains/System.keychain

-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
...

List all trusted certificates in the system keychain

herong$ security dump-trust-settings -s

Number of trusted certs = 168
Cert 0: Entrust.net Certification Authority (2048)
   Number of trust settings : 0
Cert 1: ANF Global Root CA
   Number of trust settings : 0
Cert 2: ApplicationCA
   Number of trust settings : 0
Cert 3: Actalis Authentication Root CA
   Number of trust settings : 0
...

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with Google Chrome

 Using HTTPS with Mozilla Firefox

 Using HTTPS with Microsoft Edge

 Using HTTPS with Apple Safari

 Using HTTPS with IE (Internet Explorer)

 Android and Server Certificate

 iPhone and Server Certificate

 Windows Certificate Stores and Console

 RDP (Remote Desktop Protocol) and Server Certificate

►macOS Certificate Stores and Keychain Access

 What Is Keychain Access on macOS

 Listing of Trusted Root CA in macOS

 Exporting Root Certificate to File from macOS

 Delete/Untrust Certificates from macOS

 Unlock Keychain to Access Certificate on macOS

 Import Server Certificates to macOS

 Create My Own Root CA on macOS

 Review My Root CA Certificate on macOS

 Review Private Key of My CA Certificate on macOS

 Generate CSR (Certificate Signing Request) on macOS

 Issue New Certificate with My CA on macOS

 Verify Certificate Signed by My CA on macOS

►"security" Command for Keychains on macOS

 "certtool" Command for Certificates on macOS

 Keychain File Locations on macOS

 CA Certificates at "/etc/ssl | /private/etc/ssl"

 Linux Certificate Stores and Tools

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Python Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Comodo Free Personal Certificate

 Digital Signature - Microsoft Word

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Archived Tutorials

 References

 Full Version in PDF/EPUB

"security" Command for Keychains on macOS - Updated in 2026, by Herong Yang