macOS Certificate Management
Managing certificates on macOS involves a mix of openssl, Keychain Access, and the security CLI. This guide covers the commands you need day-to-day.
OpenSSL Commands
Generate a private key
Generate a 2048-bit RSA private key:
openssl genrsa -out server.key 2048Generate an ECDSA private key (P-256):
openssl ecparam -genkey -name prime256v1 -out server.keyGenerate a CSR
Create a certificate signing request:
openssl req -new -key server.key -out server.csr \
-subj "/CN=myapp.local/O=Dev/C=US"Generate a self-signed certificate
Create a self-signed certificate valid for 365 days with SANs:
openssl req -x509 -new -nodes \
-key server.key \
-sha256 -days 365 \
-out server.crt \
-subj "/CN=myapp.local/O=Dev/C=US" \
-addext "subjectAltName=DNS:myapp.local,DNS:localhost,IP:127.0.0.1" \
-addext "keyUsage=digitalSignature,keyEncipherment" \
-addext "extendedKeyUsage=serverAuth"View a certificate
Display certificate details in human-readable form:
openssl x509 -in server.crt -text -nooutVerify a certificate chain
Verify a certificate against a CA bundle:
openssl verify -CAfile ca-bundle.crt server.crtConvert between formats
PEM to DER:
openssl x509 -in server.crt -outform der -out server.derPEM to PKCS#12 (PFX):
openssl pkcs12 -export \
-in server.crt -inkey server.key \
-out server.pfx \
-name "myapp"PKCS#12 to PEM:
openssl pkcs12 -in server.pfx -out server.pem -nodesKeychain Access
macOS stores certificates in keychains. The two main keychains:
login.keychain # Current user — apps and browsers check this by default
System.keychain # Machine-wide — requires admin, trusted by all usersOpen Keychain Access from Spotlight (Cmd+Space→ “Keychain Access”) to visually inspect installed certificates, change trust settings, and delete expired certs.
security CLI
Trust a certificate system-wide
Add a certificate as a trusted root (requires sudo):
sudo security add-trusted-cert -d \
-r trustRoot \
-k /Library/Keychains/System.keychain \
server.crtFind a certificate in a keychain
Search for a certificate by common name:
security find-certificate -c "myapp.local" -p /Library/Keychains/System.keychainImport a certificate or PFX
Import a PFX into the login keychain:
security import server.pfx -k ~/Library/Keychains/login.keychain-db \
-P "password" -T /usr/bin/codesignImport a public certificate:
security import server.crt -k ~/Library/Keychains/login.keychain-db.NET Dev Certificates on macOS
Trust the ASP.NET Core development certificate:
dotnet dev-certs https --trustOn macOS this adds the dev certificate to the login keychain and marks it as trusted. If trust fails, clean and retry:
Reset the dev certificate:
dotnet dev-certs https --clean
dotnet dev-certs https --trustTrust a Self-Signed Cert System-Wide
To make all applications (browsers, curl, .NET, Node.js) trust a self-signed certificate, add it to the System keychain as a trusted root:
Full trust workflow:
# 1. Add to System keychain as trusted root
sudo security add-trusted-cert -d \
-r trustRoot \
-k /Library/Keychains/System.keychain \
myca.crt
# 2. Verify trust
security verify-cert -c server.crt
# 3. Test with curl
curl https://myapp.local:5001Browser Trust Differences
Safari and Chrome behave differently when it comes to certificate trust on macOS:
Safari— Uses the macOS Keychain directly. Adding a cert to the System keychain as a trusted root is sufficient.
Chrome— Also uses the macOS Keychain but enforces additional checks: the certificate must include a SAN (Subject Alternative Name), have a validity period of 398 days or less, and not use SHA-1.
Tip
If Chrome still shows a warning after trusting, check that your certificate has a valid SAN. Chrome ignores the CN field entirely for hostname matching.
Warning
Firefox on macOS uses its own certificate store, not the system Keychain. To trust a cert in Firefox, go to Settings → Privacy & Security → View Certificates → Import. Or set security.enterprise_roots.enabled to true in about:config to use the system store.