2

I just can't find a way to delete the Self-Signed Root CA from Keychain under System.

When I open KeyChain I select System under System Keychains. Then I click on the File in menu and then click on Unlock Keychain "System"...

After this I was expecting to be able to delete a certificate. But when I select a certificate I can only see greyed out Delete option in the Edit in the menu.

I tried to disable SIP (which was successful) but it did not help me clear From Keychain file (SystemRootKeychain) which is:

/System/Library/Keychains/SystemRootKeychain.keychain

I disabled SIP in Recovery mode with command: csrutil disable

Any advice?

bmike
  • 235,889
Mi1anovic
  • 131
  • What "self-signed certificate"? What would SIP have to do with it? – Marc Wilson Mar 02 '22 at 20:33
  • I checked additional details and it's Root Internal Certificate which was needed for specific Wi-Fi Enterprise network connection. Now the connection to the Wi-Fi network is possible without this certificate so I want to delete it. I found info about SIP here: https://discussions.apple.com/thread/7357200 – Mi1anovic Mar 03 '22 at 07:20
  • I’m going to edit the post and answer so the clarified problem is all in the question and the solution is about where to look for others. Great resolution ! – bmike Apr 02 '22 at 14:18

2 Answers2

1

I was able to delete it with terminal command:

sudo security delete-certificate -c "CERT_NAME" /Library/Keychains/System.keychain

It was not clear to look in /Library/Keychains instead of /System/Library/Keychains so SIP was an unrelated complication to get to the source of the item.

bmike
  • 235,889
Mi1anovic
  • 131
  • Added a self-signed certificate via sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain CERT_NAME (per this answer), but when I try to delete it with the above command, I get Unable to delete certificate matching "CERT_NAME". However, when I do it manually in Keychain Access, it works (after needing to put in my password twice), but I was hoping for a solution that works on the terminal. – toraritte Aug 28 '23 at 21:10
0

TL;DR

# 1.
sudo security remove-trusted-cert -d <CERT_FILE_NAME>

2.


sudo security delete-certificate -c <CERT_COMMON_NAME> /Library/Keychains/System.keychain

On Ventura, I added a self-signed certificate to the System keychain using the Import certificates into the System Keychain via the command line thread:

sudo security add-trusted-cert \
  -d \
  -r trustRoot \
  -k /Library/Keychains/System.keychain \
  <CERT_FILE_NAME>

In Keychain Access, under "System",

Sidebar in Keychain Access,

the added certificate will show up like this:

the certificate in Keychain Access, marked with a white plus sign in a blue dot

Deleting a certificate from the System keychain on the terminal

Step 0. Make sure that Keychain Access is not running.

If you see the little white dot beneath its icon, then quit.

the white dot under Keychain Access icon

If you forget, the steps below will work to some extent, but the certificate will have to be manually deleted as well, defeating the whole purpose of doing this in the terminal. You will still get an error,

"An error occurred while deleting the certificate"

In my case, quitting and starting Keychain Access again didn't help, hence this manual step.

Step 1. sudo security remove-trusted-cert -d <CERT_FILE_NAME>

For example,

% sudo security remove-trusted-cert -d localhost.crt

This is how the certificate looks like in Keychain Access at this point:

The same certificate icon but now without the white cross on blue dot.

Step 2. sudo security delete-certificate -c <CERT_COMMON_NAME> /Library/Keychains/System.keychain

The argument for -c has to be the common name on the certificate (i.e., the CN parameter). This is what shows up in Keychain Access.

In my case, it is lynx_localhost_test. To check it on the terminal, decode the certificate with openssl:

% openssl x509 -in localhost.crt -text | grep 'Subject:'

    Subject: C=US, ST=Denial, L=Springfield, O=Dis, CN=lynx_localhost_test

To check this on the terminal without opening up Keychain Access, before deleting the cert:

% sudo security find-certificate -c lynx_localhost_test
toraritte
  • 161