Add Root Certificates to KeyChain

This short how to describes how to retrieve public key certificates, and store it in you KeyChain under Mac OS X. Public key certificates are used for the web (sites starting with https://) as well as e-mail (IMAPS). Technically, they are self-signed certificates (often referred to as a CA or root certificates).

How to retrieve server certificate
openssl s_client -connect :

Typical ports: 993 for IMAP clients, 443 for HTTPS, 465 for secure SMTP.

Store the result, in particular the part between "BEGIN CERTIFICATE" and "END CERTIFICATE".

If you saved this as server.cert.pem, you can display it's information using :

openssl x509 -in server.cert.pem -text

If it is a self-signed certificate (the Issuer and the Subject are the same), you need to store it in the keychain so that this certificate, and all certificates signed by this issuer are properly authentication.

For MacOS 10.3 and up, rename the file to have an extension .cer of .crt, and drag the file onto the KeyChain Access application. You will be asked to add the certificate. Choose the "X509 Anchors" keychain and store the certificate after you verified the correctness.

For MacOS 10.2, you need to use the "certtool" program from the commandline to add a certificate.

If you need to remove an old certificate, use the Keychain Access application to remove it from the keychain /System/Library/Keychains/X509Anchors.

If you are using Mac OS 10.3 or earlier, there is no way to export it to a readable format like PEM, DER or PKCS#12 after you saved it in the keychain, so you are encoureaged to keep a back-up file.