Mac Tutorials - Herong's Tutorial Examples - v3.08, by Herong Yang
CA Certificates at "/etc/ssl | /private/etc/ssl"
This section provides a tutorial example on how to find CA certificate files used by the PHP programming engine on macOS computers.
Since Mac computers are using the Linux system as its operating system, you can run applications that are designed for the Linux system.
However, some of those applications may not be able to use certificates that are managed by keychain. The PHP programming language engine is a good example.
By default, PHP on a Mac computer uses certificates in the /etc/ssl, which is a symbolic link to /private/etc/ssl, as CA certificates.
1. Call the openssl_get_cert_locations() function in PHP to see where it is searching for CA certificates.
herong$ php -a php > var_dump(openssl_get_cert_locations()); array(8) { ["default_cert_file"]=> string(25) "/private/etc/ssl/cert.pem" ["default_cert_file_env"]=> string(13) "SSL_CERT_FILE" ["default_cert_dir"]=> string(22) "/private/etc/ssl/certs" ["default_cert_dir_env"]=> string(12) "SSL_CERT_DIR" ["default_private_dir"]=> string(24) "/private/etc/ssl/private" ["default_default_cert_area"]=> string(16) "/private/etc/ssl" ["ini_cafile"]=> string(0) "" ["ini_capath"]=> string(0) "" }
2. Look at the first certificate file in the output: /private/etc/ssl/cert.pem. It was installed as part of the macOS system and never updated.
herong$ ls -l /etc/ssl/cert.pem -rw-r--r-- 1 root wheel 227344 Feb 9 2017 /etc/ssl/cert.pem herong$ ls -l /private/etc/ssl/cert.pem -rw-r--r-- 1 root wheel 227344 Feb 9 2017 /private/etc/ssl/cert.pem
3. List certificates in /etc/ssl/cert.pem. There are not many certificates in the CA certificate file.
herong$ grep Issuer /etc/ssl/cert.pem Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., C... Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certificati... Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA Issuer: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign Issuer: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, O... Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, O... Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 200... Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 199... Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 200... Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 200... Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 199... Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing,... Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert ... Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (... Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High A... Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assure... Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global... Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusine... Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1 Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2 Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Auth... Issuer: C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For author... Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2 Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certifi... Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Da... Issuer: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Ce... Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc... Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc... Issuer: C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2 Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=... Issuer: C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authoriz... Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=... Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=Add... Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, ... Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=ht... Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root Issuer: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=De... Issuer: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trus... Issuer: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trus... Issuer: C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2 Issuer: C=CH, O=SwissSign AG, CN=SwissSign Platinum CA - G2 Issuer: C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2 Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3 Issuer: C=HU, L=Budapest, O=NetLock Kft., OU=Tan\xC3\xBAs\xC3\xADtv\x...
So if you are adding a new CA certificate in the "System Roots" Keychain, you also need to add it in /etc/ssl. Otherwise your PHP applications may fail to validate certificates signed by that CA certificate.
Table of Contents
Macintosh OS (Operating System) History
System and Application Processes
Keychain Access - Password Manager
►Keychain Access - Certificate Manager
Using Keychain Access as Certificate Manager
Listing of Trusted Root CA in macOS
Exporting Root Certificate to File from macOS
Delete/Untrust Certificates from macOS
Import Server Certificates to macOS
Create My Own Root CA on macOS
Review My Root CA Certificate on macOS
Review Private Key of My CA Certificate on macOS
Generate CSR (Certificate Signing Request) on macOS
Issue New Certificate with My CA on macOS
Verify Certificate Signed by My CA on macOS
Manage Keychains with Commands
Keychain File Locations on macOS
►CA Certificates at "/etc/ssl | /private/etc/ssl"