HOWTO: Centrally manage root certificates on Mac OS X

This document details how to script the process of importing the CAcert Root Certificates into the Mac OS X system wide root certificates keychain.

Operating system version differences

On Mac OS 10.5 this system wide keychain is called "SystemRootCertificates.keychain" and shows up in Keychain Access as "System Roots". On 10.4 and earlier it's called "X509Anchors" (no filename extension) and shows up as such in Keychain Access. The old file is still present on 10.5, but ignored and only remains for backwards compatibility with third party software. In all cases the system wide keychain files are located in /System/Library/Keychains The scripts below were written with 10.4 in mind. To update them for Leopard, substitute SystemRootCertificates.keychain for X509Anchors in all path names.


Central management is nice. Distribute the modified X509Anchors file to a lab of workstations, and your internal services signed by will just work on those machines.


# copy me
curl -k -o "root.crt"   ""
curl -k -o "class3.crt" ""
cp "/System/Library/Keychains/X509Anchors" "${HOME}/Library/Keychains/X509Anchors.backup"
cp "/System/Library/Keychains/X509Anchors" "${HOME}/Library/Keychains/X509Anchors"

# Install the class 1 cert if it's fingerprint matches.
if openssl x509 -noout -fingerprint < root.crt | \
   grep "Fingerprint=A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B"
  certtool i "root.crt" k=X509Anchors

# Install the class 3 cert if it's fingerprint matches.
if openssl x509 -noout -fingerprint < class3.crt | \
   grep "Fingerprint=73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6"
  certtool i "class3.crt" k=X509Anchors

sudo cp "${HOME}/Library/Keychains/X509Anchors" "/System/Library/Keychains/X509Anchors"
# end


I use curl, with the -k option to disable verification of the SSL certificate. Checking the key fingerprint is sufficient, and importing the certificates into the curl rootca bundle is another document.

I then make two copies of the X509Anchors file into the directory that the vendor supplied certificate tools operate on by default.

Finally, I check the key fingerprints using the vendor supplied version of openssl and grep. You can verify the fingerprints yourself against If grep matches successfully, I use the vendor supplied certtool utility to import both certificates into the X509Anchors user keychain.

Assuming all went well, I copy the keychain back into the system location. This freshly updated X509Anchors file might also be distributed to all hosts in the site network using a tool such as cfengine.

For a single OS X machine (or just a few) you can just import the DER versions of the root and class 3 certificates via the Keychain. Apple has instructions here. More detailed instructions are available from Purdue.

Note after initial import the Keychain Access may report that the certificates are not in the trusted root. Just quit and relaunch Keychain Access and this issue should resolve itself.


MacOSX_X509Anchors (last edited 2015-11-04 10:25:12 by AlesKastner)