Import certificates into the System Keychain via the command line

Question

Is it possible to copy a certificate to a machine running OS X Snow Leopard, add it to the System Keychain, then set it to "Always Trust via SSH?"

And if so... how?

How to delete the cert once it is added: How to delete Self-Signed certificate from System Keychain (Big Sur) — toraritte, Aug 29 '23 at 01:55

score 95 · Accepted Answer · edited Jun 23 '23 at 05:29

95

To import a trusted certificate use the terminal command

sudo security add-trusted-cert \
  -d \
  -r trustRoot \
  -k /Library/Keychains/System.keychain \
  <certificate>

This will add a trusted certificate to the System.keychain. You should modify the options and paths to suit your situation. See the man page for security for more information.

↬ Rich Trouton, Adding new trusted root certificates to System.keychain

edited Jun 23 '23 at 05:29

nohillside

100,768

answered Jan 31 '13 at 23:14

jaberg

9,849

The quotes messed me up for some reason, removed them and all was well. – counterbeing Apr 17 '14 at 00:02
@jaberg, and how to add certificate via ssh to local keychain, not system? – gaussblurinc Sep 09 '14 at 12:30
8

Thanks muchly! Just a note: One can also add to "$HOME/Library/Keychains/login.keychain" – Jan 21 '15 at 13:48
10

What is the difference between security add-trusted-cert and security import? – Nepoxx Oct 10 '19 at 15:14
link is broken, : https://www.unix.com/man-page/mojave/1/security/ – anki Mar 05 '20 at 19:23
1

fyi to add a trusted CA to only the current user's Login keychain you don't need to sudo but you will be asked for your password:
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db /tmp/my-root-ca.cer
– jamshid Feb 13 '21 at 03:32
2

Does this really work from a pure terminal? security want's to do some interactions despite the sudo. – Martin Dec 14 '21 at 15:09
@Martin, it was the same for me, I still got a GUI prompt for entering administrator password. Command from this answer does execute without such prompt (and also certificate is trusted right away): https://apple.stackexchange.com/a/223869/92892 – retif Jan 10 '22 at 13:42
it says error reading file – Prince Hamza Apr 11 '22 at 09:34

ibacalu · Answer 2 · 2022-11-14T08:41:24.580

9

The selected answer does not really work on newer versions of MacOS.
The correct command now is:

sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain <certificate>

Note: tested with MacOS 12(Monterey) and MacOS 13(Ventura)

edited Nov 14 '22 at 08:41

answered Sep 24 '22 at 07:17

ibacalu

91

Welcome to Ask Different. Your answer could be improved by referencing which versions of macOS onward this change applies to. As it stands 'newer versions' doesn't provide a reference point, especially as the OP was asking about Snow Leopard. That was a long time ago (2009). – Andy Griffiths Sep 24 '22 at 08:12
2

updated with a note as requested – ibacalu Nov 14 '22 at 08:41
1

What format did you have to use? For pem format, your command yielded SecTrustSettingsSetTrustSettings: One or more parameters passed to a function were not valid. – volvox Mar 27 '23 at 15:58

Import certificates into the System Keychain via the command line

2 Answers2

Linked