Mac Tutorials - Herong's Tutorial Examples - v3.08, by Herong Yang
Manage Keychains with Commands
This section provides a quick introduction on how to manage keychains with command line tools.
Keychains stored in Keychain Access can also be managed from command line tools.
macOS offers the "security" command that allows you to manage keychains:
herong$ man security NAME security -- Command line interface to keychains and Security framework SYNOPSIS security [-hilqv] [-p prompt] [command] [command_options] [command_args] DESCRIPTION A simple command line interface which lets you administer keychains, manipulate keys and certificates, and do just about anything the Security framework is capable of from the command line. Here is a complete list of the options available: -h If no arguments are specified, show a list of all commands. If argument are provided, show usage for the specified command. -i Run security in interactive mode. ...
Commands supported by "security" arre:
herong$ security -h help Show all commands, or show usage for a command. list-keychains Display or manipulate the keychain search list. list-smartcards Display available smartcards. default-keychain Display or set the default keychain. login-keychain Display or set the login keychain. create-keychain Create keychains and add them to the search list. delete-keychain Delete keychains and remove them from the search list. lock-keychain Lock the specified keychain. unlock-keychain Unlock the specified keychain. set-keychain-settings Set settings for a keychain. set-keychain-password Set password for a keychain. show-keychain-info Show the settings for keychain. dump-keychain Dump the contents of one or more keychains. create-keypair Create an asymmetric key pair. add-generic-password Add a generic password item. add-internet-password Add an internet password item. add-certificates Add certificates to a keychain. find-generic-password Find a generic password item. delete-generic-password Delete a generic password item. find-internet-password Find an internet password item. delete-internet-password Delete an internet password item. find-key Find keys in the keychain set-key-partition-list Set the partition list of a key. find-certificate Find a certificate item. find-identity Find an identity (certificate + private key). delete-certificate Delete a certificate from a keychain. delete-identity Delete an identity (certificate + private key) from a keychain. set-identity-preference Set the preferred identity to use for a service. get-identity-preference Get the preferred identity to use for a service. create-db Create a db using the DL. export Export items from a keychain. import Import items into a keychain. export-smartcard Export items from a smartcard. cms Encode or decode CMS messages. install-mds Install (or re-install) the MDS database. add-trusted-cert Add trusted certificate(s). remove-trusted-cert Remove trusted certificate(s). dump-trust-settings Display contents of trust settings. trust-settings-export Export trust settings. trust-settings-import Import trust settings. verify-cert Verify certificate(s). authorize Perform authorization operations. authorizationdb Make changes to the authorization policy database. execute-with-privileges Execute tool with privileges. leaks Run /usr/bin/leaks on this process. error Display a descriptive message for the given error code(s). smartcards Enable, disable or list disabled smartcard tokens. translocate-create Create a translocation point for the provided path translocate-policy-check Check whether a path would be translocated. translocate-status-check Check whether a path is translocated. translocate-original-path Find the original path for a translocated path. ...
You can list all keychains using "security list-keychains" command. Note that this command does not return the hidden "System Roots" keychain: /System/Library/Keychains/SystemRootCertificates.keychain.
herong$ security list-keychains "/Users/herong/Library/Keychains/login.keychain-db" "/Library/Keychains/System.keychain"
You can dump all items from a given keychain using the "security dump-keychain" command.
herong$ security dump-keychain \ /Users/herong/Library/Keychains/login.keychain-db > login_dump.txt herong$ security dump-keychain \ /Library/Keychains/System.keychain > system_dump.txt herong$ more login_dump.txt keychain: "/Library/Keychains/System.keychain" version: 256 class: "genp" attributes: 0x00000007 <blob>="NETGEAR49" 0x00000008 <blob>=<NULL> "acct"<blob>="NETGEAR49" "cdat"<timedate>=0x32303139303932383... "20190928211737Z\000" "crtr"<uint32>=<NULL> "cusi"<sint32>=<NULL> "desc"<blob>="AirPort network password" "gena"<blob>=<NULL> "icmt"<blob>=<NULL> "invi"<sint32>=<NULL> "mdat"<timedate>=0x32303139303932383... "20190928211737Z\000" "nega"<sint32>=<NULL> "prot"<blob>=<NULL> "scrp"<sint32>=<NULL> "svce"<blob>="AirPort" "type"<uint32>=<NULL> ... ...
You can dump different types of security items cross all keychains using different commands:
herong$ security find-key > key.txt herong$ security find-certificate -a > certificate.txt herong$ security find-generic-password > generic-password.txt herong$ security find-internet-password > internet-password.txt
You can decrypt and display an application password with a given password account name. In the following example, "NETGEAR49" is the account name of my Wi-Fi modem.
herong$ security find-generic-password -a NETGEAR49 -g (Enter admin password) keychain: "/Library/Keychains/System.keychain" version: 256 class: "genp" attributes: 0x00000007 <blob>="NETGEAR49" 0x00000008 <blob>=<NULL> "acct"<blob>="NETGEAR49" ... password: "3a6e....7c46"
You can also find and print a certificate with a given certificate subject name.
herong$ security find-certificate -c 'GeoTrust Global CA' -p -----BEGIN CERTIFICATE----- MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG ... 5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw== -----END CERTIFICATE-----
Table of Contents
Macintosh OS (Operating System) History
System and Application Processes
Keychain Access - Password Manager
►Keychain Access - Certificate Manager
Using Keychain Access as Certificate Manager
Listing of Trusted Root CA in macOS
Exporting Root Certificate to File from macOS
Delete/Untrust Certificates from macOS
Import Server Certificates to macOS
Create My Own Root CA on macOS
Review My Root CA Certificate on macOS
Review Private Key of My CA Certificate on macOS
Generate CSR (Certificate Signing Request) on macOS
Issue New Certificate with My CA on macOS
Verify Certificate Signed by My CA on macOS
►Manage Keychains with Commands
Keychain File Locations on macOS
CA Certificates at "/etc/ssl | /private/etc/ssl"