Manage Keychains with Commands

This section provides a quick introduction on how to manage keychains with command line tools.

Keychains stored in Keychain Access can also be managed from command line tools.

macOS offers the "security" command that allows you to manage keychains:

herong$ man security

  security -- Command line interface to keychains and Security framework

  security [-hilqv] [-p prompt] [command] [command_options] [command_args]

  A simple command line interface which lets you administer keychains, 
  manipulate keys and certificates, and do just about anything the 
  Security framework is capable of from the command line.

  Here is a complete list of the options available:

    -h If no arguments are specified, show a list of all commands.  
       If argument are provided, show usage for the specified command.

    -i Run security in interactive mode.

Commands supported by "security" arre:

herong$ security -h 

help                      Show all commands, or show usage for a command.
list-keychains            Display or manipulate the keychain search list.
list-smartcards           Display available smartcards.
default-keychain          Display or set the default keychain.
login-keychain            Display or set the login keychain.
create-keychain           Create keychains and add them to the search list.
delete-keychain           Delete keychains and remove them from the search list.
lock-keychain             Lock the specified keychain.
unlock-keychain           Unlock the specified keychain.
set-keychain-settings     Set settings for a keychain.
set-keychain-password     Set password for a keychain.
show-keychain-info        Show the settings for keychain.
dump-keychain             Dump the contents of one or more keychains.
create-keypair            Create an asymmetric key pair.
add-generic-password      Add a generic password item.
add-internet-password     Add an internet password item.
add-certificates          Add certificates to a keychain.
find-generic-password     Find a generic password item.
delete-generic-password   Delete a generic password item.
find-internet-password    Find an internet password item.
delete-internet-password  Delete an internet password item.
find-key                  Find keys in the keychain
set-key-partition-list    Set the partition list of a key.
find-certificate          Find a certificate item.
find-identity             Find an identity (certificate + private key).
delete-certificate        Delete a certificate from a keychain.
delete-identity           Delete an identity (certificate + private key) from a keychain.
set-identity-preference   Set the preferred identity to use for a service.
get-identity-preference   Get the preferred identity to use for a service.
create-db                 Create a db using the DL.
export                    Export items from a keychain.
import                    Import items into a keychain.
export-smartcard          Export items from a smartcard.
cms                       Encode or decode CMS messages.
install-mds               Install (or re-install) the MDS database.
add-trusted-cert          Add trusted certificate(s).
remove-trusted-cert       Remove trusted certificate(s).
dump-trust-settings       Display contents of trust settings.
trust-settings-export     Export trust settings.
trust-settings-import     Import trust settings.
verify-cert               Verify certificate(s).
authorize                 Perform authorization operations.
authorizationdb           Make changes to the authorization policy database.
execute-with-privileges   Execute tool with privileges.
leaks                     Run /usr/bin/leaks on this process.
error                     Display a descriptive message for the given error code(s).
smartcards                Enable, disable or list disabled smartcard tokens.
translocate-create        Create a translocation point for the provided path
translocate-policy-check  Check whether a path would be translocated.
translocate-status-check  Check whether a path is translocated.
translocate-original-path Find the original path for a translocated path.

You can list all keychains using "security list-keychains" command. Note that this command does not return the hidden "System Roots" keychain: /System/Library/Keychains/SystemRootCertificates.keychain.

herong$ security list-keychains

You can dump all items from a given keychain using the "security dump-keychain" command.

herong$ security dump-keychain \
  /Users/herong/Library/Keychains/login.keychain-db > login_dump.txt

herong$ security dump-keychain \
  /Library/Keychains/System.keychain > system_dump.txt

herong$ more login_dump.txt

keychain: "/Library/Keychains/System.keychain"
version: 256
class: "genp"
    0x00000007 <blob>="NETGEAR49"
    0x00000008 <blob>=<NULL>
    "cdat"<timedate>=0x32303139303932383...  "20190928211737Z\000"
    "desc"<blob>="AirPort network password"
    "mdat"<timedate>=0x32303139303932383...  "20190928211737Z\000"

You can dump different types of security items cross all keychains using different commands:

herong$ security find-key > key.txt 
herong$ security find-certificate -a > certificate.txt 
herong$ security find-generic-password > generic-password.txt 
herong$ security find-internet-password > internet-password.txt 

You can decrypt and display an application password with a given password account name. In the following example, "NETGEAR49" is the account name of my Wi-Fi modem.

herong$ security find-generic-password -a NETGEAR49 -g
(Enter admin password)

keychain: "/Library/Keychains/System.keychain"
version: 256
class: "genp"
    0x00000007 <blob>="NETGEAR49"
    0x00000008 <blob>=<NULL>

password: "3a6e....7c46"

You can also find and print a certificate with a given certificate subject name.

herong$ security find-certificate -c 'GeoTrust Global CA' -p 


Table of Contents

 About This Book

 Macintosh OS (Operating System) History

 macOS Operating System

 macOS File Systems

 macOS Network Connections

 System and Application Processes

 Keychain Access - Password Manager

Keychain Access - Certificate Manager

 Using Keychain Access as Certificate Manager

 Listing of Trusted Root CA in macOS

 Exporting Root Certificate to File from macOS

 Delete/Untrust Certificates from macOS

 Import Server Certificates to macOS

 Create My Own Root CA on macOS

 Review My Root CA Certificate on macOS

 Review Private Key of My CA Certificate on macOS

 Generate CSR (Certificate Signing Request) on macOS

 Issue New Certificate with My CA on macOS

 Verify Certificate Signed by My CA on macOS

Manage Keychains with Commands

 Keychain File Locations on macOS

 CA Certificates at "/etc/ssl | /private/etc/ssl"

 Productivity Tools on macOS

 Programming Tools on macOS

 Apache Web Server on macOS

 Develop and Run Java Applications

 Full Version in PDF/EPUB