security

security(1) – General Commands Manual

NAME

security – Command line interface to keychains and Security framework

SYNOPSIS

security
[-hilqv]
[-p prompt]
[command]
[command_options]
[command_args]

DESCRIPTION

A simple command line interface which lets you administer keychains,
manipulate keys and certificates, and do just about anything the
Security framework is capable of from the command line.

By default
security
will execute the
command
supplied and report if anything went wrong.

If the
-i
or
-p
options are provided,
security
will enter interactive mode and allow the user to enter multiple commands on stdin. When EOF is read from stdin
security
will exit.

Here is a complete list of the options available:

-h

If no arguments are specified, show a list of all commands. If arguments are provided, show usage for each the specified commands. This option is essentially the same as the
help
command.

-i

Run
security
in interactive mode. A prompt
(security>
by default)
will be displayed and the user will be able to type commands on stdin until an EOF is encountered.

-l

Before
security
exits, run

/usr/bin/leaks -nocontext

on itself to see if the command(s) you executed had any leaks.

-p prompt

This option implies the
-i
option but changes the default prompt to the argument specified instead.

-q

Will make
security
less verbose.

-v

Will make
security
more verbose.

SECURITY COMMAND SUMMARY

security
provides a rich variety of commands
(command
in the
SYNOPSIS), each of which often has a wealth of options, to allow access to
the broad functionality provided by the Security framework. However,
you don’t have to master every detail for
security
to be useful to you.

Here are brief descriptions of all the
security
commands:

help

Show all commands, or show usage for a command.

list-keychains

Display or manipulate the keychain search list.

default-keychain

Display or set the default keychain.

login-keychain

Display or set the login keychain.

create-keychain

Create keychains.

delete-keychain

Delete keychains and remove them from the search list.

lock-keychain

Lock the specified keychain.

unlock-keychain

Unlock the specified keychain.

set-keychain-settings

Set settings for a keychain.

set-keychain-password

Set password for a keychain.

show-keychain-info

Show the settings for keychain.

dump-keychain

Dump the contents of one or more keychains.

create-keypair

Create an asymmetric key pair.

add-generic-password

Add a generic password item.

add-internet-password

Add an internet password item.

add-certificates

Add certificates to a keychain.

find-generic-password

Find a generic password item.

delete-generic-password

Delete a generic password item.

set-generic-password-partition-list

Set the partition list of a generic password item.

find-internet-password

Find an internet password item.

delete-internet-password

Delete an internet password item.

set-internet-password-partition-list

Set the partition list of a internet password item.

find-key

Find keys in the keychain

set-key-partition-list

Set the partition list of a key.

find-certificate

Find a certificate item.

find-identity

Find an identity (certificate + private key).

delete-certificate

Delete a certificate from a keychain.

delete-identity

Delete a certificate and its private key from a keychain.

set-identity-preference

Set the preferred identity to use for a service.

get-identity-preference

Get the preferred identity to use for a service.

create-db

Create a db using the DL.

export

Export items from a keychain.

import

Import items into a keychain.

cms

Encode or decode CMS messages.

install-mds

Install (or re-install) the MDS database.

add-trusted-cert

Add trusted certificate(s).

remove-trusted-cert

Remove trusted certificate(s).

dump-trust-settings

Display contents of trust settings.

user-trust-settings-enable

Display or manipulate user-level trust settings.

trust-settings-export

Export trust settings.

trust-settings-import

Import trust settings.

verify-cert

Verify certificate(s).

authorize

Perform authorization operations.

authorizationdb

Make changes to the authorization policy database.

execute-with-privileges

Execute tool with privileges.

leaks

Run
/usr/bin/leaks
on this process.

smartcards

Enable, disable or list disabled smartcard tokens.

list-smartcards

Display available smartcards.

export-smartcard

Export/display items from a smartcard.

error

Display a descriptive message for the given error code(s).

COMMON COMMAND OPTIONS

This section describes the
command_options
that are available across all
security
commands.

-h

Show a usage message for the specified command. This option is
essentially the same as the
help
command.

SECURITY COMMANDS

Here (finally) are details on all the
security
commands and the options each accepts.

help
[-h]
Show all commands, or show usage for a command.

list-keychains
[-h]
[-d user|system|common|dynamic]
[-s [keychain…]]
Display or manipulate the keychain search list.

-d user|system|common|dynamic

Use the specified preference domain.

-s

Set the search list to the specified keychains.

default-keychain
[-h]
[-d user|system|common|dynamic]
[-s [keychain]]
Display or set the default keychain.

-d user|system|common|dynamic

Use the specified preference domain.

-s

Set the default keychain to the specified
keychain.
Unset it if no keychain is specified.

login-keychain
[-h]
[-d user|system|common|dynamic]
[-s [keychain]]
Display or set the login keychain.

-d user|system|common|dynamic

Use the specified preference domain.

-s

Set the login keychain to the specified
keychain.
Unset it if no keychain is specified.

create-keychain
[-hP]
[-p password]
[keychain…]
Create keychains.

-P

Prompt the user for a password using the SecurityAgent.

-p password

Use
password
as the password for the keychains being created.

If neither
-P
or
-p password
are specified, the user is prompted for a password on the command line. Use
of the -p option is insecure.

delete-keychain
[-h]
[keychain…]
Delete keychains and remove them from the search list.

lock-keychain
[-h]
[-a|keychain]
Lock
keychain, or the default keychain if none is specified. If the
-a
option is specified, all keychains are locked.

unlock-keychain
[-hu]
[-p password]
[keychain]
Unlock
keychain, or the default keychain if none is specified.

set-keychain-settings
[-hlu]
[-t timeout]
[keychain]
Set settings for
keychain, or the default keychain if none is specified.

-l

Lock keychain when the system sleeps.

-u

Lock keychain after timeout interval.

-t timeout

Specify
timeout
interval in seconds (omitting this option specifies “no timeout”).

set-keychain-password
[-h]
[-o oldPassword]
[-p newPassword]
[keychain]
Set password for
keychain, or the default keychain if none is specified.

-o oldPassword

Old keychain password (if not provided, will prompt)

-p newPassword

New keychain password (if not provided, will prompt)

show-keychain-info
[-h]
[keychain]
Show the settings for
keychain.

dump-keychain
[-adhir]
Dump the contents of one or more keychains.

-a

Dump access control list of items

-d

Dump (decrypted) data of items

-i

Interactive access control list editing mode

-r

Dump raw (encrypted) data of items

create-keypair
[-h]
[-a alg]
[-s size]
[-f date]
[-t date]
[-d days]
[-k keychain]
[-A|-T appPath]
[name]
Create an asymmetric key pair.

-a alg

Use
alg
as the algorithm, can be rsa, dh, dsa or fee (default rsa)

-s size

Specify the keysize in bits (default 512)

-f date

Make a key valid from the specified date (ex: “13/11/10 3:30pm”)

-t date

Make a key valid to the specified date

-d days

Make a key valid for the number of days specified from today

-k keychain

Use the specified keychain rather than the default

-A

Allow any application to access this key without warning (insecure, not recommended!)

-T appPath

Specify an application which may access this key (multiple
-T options are allowed)

add-generic-password
[-h]
[-a account]
[-s service]
[-w password]
[options…]
[keychain]
Add a generic password item.

-a account

Specify account name (required)

-c creator

Specify item creator (optional four-character code)

-C type

Specify item type (optional four-character code)

-D kind

Specify kind (default is “application password”)

-G value

Specify generic attribute value (optional)

-j comment

Specify comment string (optional)

-l label

Specify label (if omitted, service name is used as default label)

-s service

Specify service name (required)

-p password

Specify password to be added (legacy option, equivalent to
-w)

-w password

Specify password to be added. Put at end of command to be prompted (recommended)

-A

Allow any application to access this item without warning (insecure, not recommended!)

-T appPath

Specify an application which may access this item (multiple
-T options are allowed)

-U

Update item if it already exists (if omitted, the item cannot already exist)

-X password

Specify password data to be added as a hexadecimal string

By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname:
-T “”. If no keychain is specified, the password is added to the default keychain.

add-internet-password
[-h]
[-a account]
[-s server]
[-w password]
[options…]
[keychain]
Add an internet password item.

-a account

Specify account name (required)

-c creator

Specify item creator (optional four-character code)

-C type

Specify item type (optional four-character code)

-d domain

Specify security domain string (optional)

-D kind

Specify kind (default is “application password”)

-j comment

Specify comment string (optional)

-l label

Specify label (if omitted, service name is used as default label)

-p path

Specify path string (optional)

-P port

Specify port number (optional)

-r protocol

Specify protocol (optional four-character SecProtocolType, e.g. “http”, “ftp ”)

-s server

Specify server name (required)

-t authenticationType

Specify authentication type (as a four-character SecAuthenticationType, default is “dflt”)

-w password

Specify password to be added. Put at end of command to be prompted (recommended)

-A

Allow any application to access this item without warning (insecure, not recommended!)

-T appPath

Specify an application which may access this item (multiple
-T options are allowed)

-U

Update item if it already exists (if omitted, the item cannot already exist)

-X password

Specify password data to be added as a hexadecimal string

By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname:
-T “”. If no keychain is specified, the password is added to the default keychain.

add-certificates
[-h]
[-k keychain]
file…
Add certficates contained in the specified
files
to the default keychain. The files must contain one DER encoded X509 certificate each.

-k keychain

Use
keychain
rather than the default keychain.

find-generic-password
[-h]
[-a account]
[-s service]
[options…]
[-g]
[keychain…]
Find a generic password item.

-a account

Match account string

-c creator

Match creator (four-character code)

-C type

Match type (four-character code)

-D kind

Match kind string

-G value

Match value string (generic attribute)

-j comment

Match comment string

-l label

Match label string

-s service

Match service string

-g

Display the password for the item found

-w

Display the password(only) for the item found

delete-generic-password
[-h]
[-a account]
[-s service]
[options…]
[keychain…]
Delete a generic password item.

-a account

Match account string

-c creator

Match creator (four-character code)

-C type

Match type (four-character code)

-D kind

Match kind string

-G value

Match value string (generic attribute)

-j comment

Match comment string

-l label

Match label string

-s service

Match service string

delete-internet-password
[-h]
[-a account]
[-s server]
[options…]
[keychain…]
Delete an internet password item.

-a account

Match account string

-c creator

Match creator (four-character code)

-C type

Match type (four-character code)

-d securityDomain

Match securityDomain string

-D kind

Match kind string

-j comment

Match comment string

-l label

Match label string

-p path

Match path string

-P port

Match port number

-r protocol

Match protocol (four-character code)

-s server

Match server string

-t authenticationType

Match authenticationType (four-character code)

find-internet-password
[-h]
[-a account]
[-s server]
[options…]
[-g]
[keychain…]
Find an internet password item.

-a account

Match account string

-c creator

Match creator (four-character code)

-C type

Match type (four-character code)

-d securityDomain

Match securityDomain string

-D kind

Match kind string

-j comment

Match comment string

-l label

Match label string

-p path

Match path string

-P port

Match port number

-r protocol

Match protocol (four-character code)

-s server

Match server string

-t authenticationType

Match authenticationType (four-character code)

-g

Display the password for the item found

-w

Display the password(only) for the item found

find-key
[options…]
[keychain…]
Search the keychain for keys.

-a application-label

Match “application label” string

-c creator

Match creator (four-character code)

-d

Match keys that can decrypt

-D description

Match “description” string

-e

Match keys that can encrypt

-j comment

Match comment string

-l label

Match label string

-r

Match keys that can derive

-s

Match keys that can sign

-t type

Type of key to find: one of “symmetric”, “public”, or “private”

-u

Match keys that can unwrap

-v

Match keys that can verify

-w

Match keys that can wrap

set-generic-password-partition-list
[-a account]
[-s service]
[-S <partition list (comma separated)>]
[-k <keychain password>]
[options…]
[keychain]
Sets the “partition list” for a generic password. The “partition list” is an extra parameter in the ACL which limits access to the item based on an application’s code signature. You must present the keychain’s password to change a partition list.

-S partition-list

Comma-separated partition list. See output of “security dump-keychain” for examples.

-k password

Password for keychain

-a account

Match account string

-c creator

Match creator (four-character code)

-C type

Match type (four-character code)

-D kind

Match kind string

-G value

Match value string (generic attribute)

-j comment

Match comment string

-l label

Match label string

-s service

Match service string

set-internet-password-partition-list
[-a account]
[-s server]
[-S <partition list (comma separated)>]
[-k <keychain password>]
[options…]
[keychain]
Sets the “partition list” for an internet password. The “partition list” is an extra parameter in the ACL which limits access to the item based on an application’s code signature. You must present the keychain’s password to change a partition list.

-S partition-list

Comma-separated partition list. See output of “security dump-keychain” for examples.

-k password

Password for keychain

-a account

Match account string

-c creator

Match creator (four-character code)

-C type

Match type (four-character code)

-d securityDomain

Match securityDomain string

-D kind

Match kind string

-j comment

Match comment string

-l label

Match label string

-p path

Match path string

-P port

Match port number

-r protocol

Match protocol (four-character code)

-s server

Match server string

-t authenticationType

Match authenticationType (four-character code)

set-key-partition-list
[-S <partition list (comma separated)>]
[-k <keychain password>]
[options…]
[keychain]
Sets the “partition list” for a key. The “partition list” is an extra parameter in the ACL which limits access to the key based on an application’s code signature. You must present the keychain’s password to change a partition list. If you’d like to run /usr/bin/codesign with the key, “apple:” must be an element of the partition list.

-S partition-list

Comma-separated partition list. See output of “security dump-keychain” for examples.

-k password

Password for keychain

-a application-label

Match “application label” string

-c creator

Match creator (four-character code)

-d

Match keys that can decrypt

-D description

Match “description” string

-e

Match keys that can encrypt

-j comment

Match comment string

-l label

Match label string

-r

Match keys that can derive

-s

Match keys that can sign

-t type

Type of key to find: one of “symmetric”, “public”, or “private”

-u

Match keys that can unwrap

-v

Match keys that can verify

-w

Match keys that can wrap

find-certificate
[-h]
[-a]
[-c name]
[-e emailAddress]
[-m]
[-p]
[-Z]
[keychain…]
Find a certificate item. If no
keychain arguments are provided, the default search list is used.

Options:

-a

Find all matching certificates, not just the first one

-c name

Match on
name when searching (optional)

-e emailAddress

Match on
emailAddress when searching (optional)

-m

Show the email addresses in the certificate

-p

Output certificate in pem format. Default is to dump the attributes and keychain the cert is in.

-Z

Print SHA-256 (and SHA-1) hash of the certificate

Examples

security> find-certificate -a -p > allcerts.pem

Exports all certificates from all keychains into a pem file called allcerts.pem.

security> find-certificate -a -e [email protected] -p > certs.pem

Exports all certificates from all keychains with the email address
[email protected] into a pem file called certs.pem.

security> find-certificate -a -c MyName -Z login.keychain | grep ^SHA-256

Print the SHA-256 hash of every certificate in ‘login.keychain’ whose common name includes ‘MyName’

find-identity
[-h]
[-p policy]
[-s string]
[-v]
[keychain…]
Find an identity (certificate + private key) satisfying a given policy. If no
policy arguments are provided, the X.509 basic policy is assumed. If no
keychain arguments are provided, the default search list is used.

Options:

-p policy

Specify
policy to evaluate (multiple -p options are allowed). Supported policies:
basic, ssl-client, ssl-server, smime, eap, ipsec, ichat, codesigning,
sys-default, sys-kerberos-kdc

-s string

Specify optional policy-specific
string (e.g. a DNS hostname for SSL, or RFC822 email address for S/MIME)

-v

Show valid identities only (default is to show all identities)

Examples

security> find-identity -v -p ssl-client

Display valid identities that can be used for SSL client authentication

security> find-identity -p ssl-server -s www.domain.com

Display identities for a SSL server running on the host ‘www.domain.com’

security> find-identity -p smime -s [email protected]

Display identities that can be used to sign a message from ‘[email protected]

delete-certificate
[-h]
[-c name]
[-Z hash]
[-t]
[keychain…]
Delete a certificate from a keychain. If no
keychain arguments are provided, the default search list is used.

-c name

Specify certificate to delete by its common name

-Z hash

Specify certificate to delete by its SHA-256 (or SHA-1) hash

-t

Also delete user trust settings for this certificate

The certificate to be deleted must be uniquely specified either by a
string found in its common name, or by its SHA-256 (or SHA-1) hash.

delete-identity
[-h]
[-c name]
[-Z hash]
[-t]
[keychain…]
Delete a certificate and its private key from a keychain. If no
keychain arguments are provided, the default search list is used.

-c name

Specify certificate to delete by its common name

-Z hash

Specify certificate to delete by its SHA-256 (or SHA-1) hash

-t

Also delete user trust settings for this identity certificate

The identity to be deleted must be uniquely specified either by a
string found in its common name, or by its SHA-256 (or SHA-1) hash.

set-identity-preference
[-h]
[-n]
[-c identity]
[-s service]
[-u keyUsage]
[-Z hash]
[keychain…]
Set the preferred identity to use for a service.

-n

Specify no identity (clears existing preference for the given service)

-c identity

Specify identity by common name of the certificate

-s service

Specify service (may be a URL, RFC822 email address, DNS host, or other name) for which this identity is to be preferred

-u keyUsage

Specify key usage (optional)

-Z hash

Specify identity by SHA-256 (or SHA-1) hash of certificate (optional)

The identity is located by searching the specified keychain(s) for a certificate whose common name contains
the given identity string. If no keychains are specified to search, the default search list is used. Different
identity preferences can be set for individual key usages. You can differentiate between two identities which contain
the same string by providing a SHA-256 (or SHA-1) hash of the certificate in addition to, or instead of, the name.

PARTIAL PATHS AND WILDCARDS

Prior to 10.5.4, identity preferences for SSL/TLS client authentication could only be set on a per-URL basis. The
URL being visited had to match the service name exactly for the preference to be in effect.

In 10.5.4, it became possible to specify identity preferences on a per-server basis, by using
a service name with a partial path URL to match more specific paths on the same server. For
example, if an identity preference for “https://www.apache-ssl.org/” exists, it will be in effect for
“https://www.apache-ssl.org/cgi/cert-export”, and so on. Note that partial path URLs must end with a trailing
slash character.

Starting with 10.6, it is possible to specify identity preferences on a per-domain
basis, by using the wildcard character ‘*’ as the leftmost component of the service name. Unlike SSL wildcards,
an identity preference wildcard can match more than one subdomain. For example, an identity preference for
the name “*.army.mil” will match “server1.subdomain1.army.mil” or “server2.subdomain2.army.mil”. Likewise,
a preference for “*.mil” will match both “server.army.mil” and “server.navy.mil”.

KEY USAGE CODES

 0 - preference is in effect for all possible key usages (default)  
 1 - encryption only  
 2 - decryption only  
 4 - signing only  
 8 - signature verification only  
16 - signing with message recovery only  
32 - signature verification with message recovery only  
64 - key wrapping only  

128 – key unwrapping only
256 – key derivation only

To specify more than one usage, add values together.

get-identity-preference
[-h]
[-s service]
[-u keyUsage]
[-p]
[-c]
[-Z]
Get the preferred identity to use for a service.

-s service

Specify service (may be a URL, RFC822 email address, DNS host, or other name)

-u keyUsage

Specify key usage (optional)

-p

Output identity certificate in pem format

-c

Print common name of the preferred identity certificate

-Z

Print SHA-256 (and SHA-1) hash of the preferred identity certificate

create-db
[-aho0]
[-g dl|cspdl]
[-m mode]
[name]
Create a db using the DL. If
name
isn’t provided
security
will prompt the user to type a name.

Options:

-a

Turn off autocommit

-g dl|cspdl

Use the AppleDL (default) or AppleCspDL

-m mode

Set the file permissions to
mode.

-o

Force using openparams argument

-0

Force using version 0 openparams

Examples

security> create-db -m 0644 test.db

security> create-db -g cspdl -a test2.db

export
[-k keychain]
[-t type]
[-f format]
[-w]
[-p format]
[-P passphrase]
[-o outfile]
Export one or more items from a keychain to one of a number of external representations. If
keychain
isn’t provided, items will be exported from the user’s default keychain.

Options:

-k keychain

Specify keychain from which item(s) will be exported.

-t type

Specify the type of items to export. Possible types are certs, allKeys, pubKeys, privKeys, identities, and all. The default is all. An identity consists of both a certificate and the corresponding private key.

-f format

Specify the format of the exported data. Possible formats are openssl, bsafe, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The default is pemseq if more than one item is being exported. The default is openssl if one key is being exported. The default is x509 if one certificate is being exported.

-w

Specifies that private keys are to be wrapped on export.

-p

Specifies that PEM armour is to be applied to the output data.

-P passphrase

Specify the wrapping passphrase immediately. The default is to obtain a secure passphrase via GUI.

-o outfile

Write the output data to
outfile. Default is to write data to stdout.

Examples

security> export -k login.keychain -t certs -o /tmp/certs.pem

security> export -k newcert.keychain -t identities -f pkcs12 -o /tmp/mycerts.p12

import
inputfile
[-k keychain]
[-t type]
[-f format]
[-w]
[-P passphrase]
[options…]
Import one or more items from
inputfile into a keychain. If
keychain
isn’t provided, items will be imported into the user’s default keychain.

Options:

-k keychain

Specify keychain into which item(s) will be imported.

-t type

Specify the type of items to import. Possible types are cert, pub, priv, session, cert, and agg. Pub, priv, and session refer to keys; agg is one of the aggregate types (pkcs12 and PEM sequence). The command can often figure out what item_type an item contains based in the filename and/or item_format.

-f format

Specify the format of the exported data. Possible formats are openssl, bsafe, raw, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The command can often figure out what format an item is in based in the filename and/or item_type.

-w

Specify that private keys are wrapped and must be unwrapped on import.

-x

Specify that private keys are non-extractable after being imported.

-P passphrase

Specify the unwrapping passphrase immediately. The default is to obtain a secure passphrase via GUI.

-a attrName attrValue

Specify optional extended attribute name and value. Can be used multiple times. This is only valid when importing keys.

-A

Allow any application to access the imported key without warning (insecure, not recommended!)

-T appPath

Specify an application which may access the imported key (multiple
-T options are allowed)

Examples

security> import /tmp/certs.pem -k

security> import /tmp/mycerts.p12 -t agg -k newcert.keychain

security> import /tmp/mycerts.p12 -f pkcs12 -k newcert.keychain

cms
[-C|-D|-E|-S]
[options…]
Encode or decode CMS messages.

-C

create a CMS encrypted message

-D

decode a CMS message

-E

create a CMS enveloped message

-S

create a CMS signed message

Decoding options:

-c content

use this detached content file

-h level

generate email headers with info about CMS message (output
level >= 0)

-n

suppress output of content

Encoding options:

-r id,…

create envelope for comma-delimited list of recipients, where id can be a certificate nickname or email address

-G

include a signing time attribute

-H hash

hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512 (default: SHA1)

-N nick

use certificate named “nick” for signing

-P

include a SMIMECapabilities attribute

-T

do not include content in CMS message

-Y nick

include an EncryptionKeyPreference attribute with certificate (use “NONE” to omit)

-Z hash

find a certificate by subject key ID

Common options:

-e envelope

specify envelope file (valid with
-D or
-E)

-k keychain

specify keychain to use

-i infile

use infile as source of data (default: stdin)

-o outfile

use outfile as destination of data (default: stdout)

-p password

use password as key db password (default: prompt)

-s

pass data a single byte at a time to CMS

-u certusage

set type of certificate usage (default: certUsageEmailSigner)

-v

print debugging information

Cert usage codes:
0 – certUsageSSLClient
1 – certUsageSSLServer
2 – certUsageSSLServerWithStepUp
3 – certUsageSSLCA
4 – certUsageEmailSigner
5 – certUsageEmailRecipient
6 – certUsageObjectSigner
7 – certUsageUserCertImport
8 – certUsageVerifyCA
9 – certUsageProtectedObjectSigner
10 – certUsageStatusResponder
11 – certUsageAnyCA

install-mds
Install (or re-install) the Module Directory Services (MDS) database. This is a system tool which is not normally used by users. There are no options.

add-trusted-cert
[-d]
[-r resultType]
[-p policy]
[-a appPath]
[-s policyString]
[-e allowedError]
[-u keyUsage]
[-k keychain]
[-i settingsFileIn]
[-o settingsFileOut]
certFile
Add certificate (in DER or PEM format) from
certFile to per-user or local Admin Trust Settings. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required.

Options:

-d

Add to admin cert store; default is user.

-r resultType

resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot.

-p policy

Specify policy constraint (ssl, smime, codeSign, IPSec, basic, swUpdate, pkgSign, eap, macappstore, appleID, timestamping).

-a appPath

Specify application constraint.

-s policyString

Specify policy-specific string.

-e allowedError

Specify allowed error (an integer value, or one of: certExpired, hostnameMismatch)

-u keyUsage

Specify key usage, an integer.

-k keychain

Specify keychain to which cert is added.

-i settingsFileIn

Input trust settings file; default is user domain.

-o settingsFileOut

Output trust settings file; default is user domain.

Key usage codes:
-1 – Any
1 – Sign
2 – Encrypt/Decrypt Data
4 – Encrypt/Decrypt Key
8 – Sign certificate
16 – Sign revocation
32 – Key exchange
To specify more than one usage, add values together (except -1 – Any).

Examples

security> add-trusted-cert /tmp/cert.der  

security> add-trusted-cert -d .tmp/cert.der  

remove-trusted-cert
[-d]
certFile
Remove certificate (in DER or PEM format) in
certFile from per-user or local Admin Trust Settings. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required.

Options:

-d

Remove from admin cert store; default is user.

dump-trust-settings
[-s]
[-d]
Display Trust Settings.

Options:

-s

Display trusted system certs; default is user.

-d

Display trusted admin certs; default is user.

user-trust-settings-enable
[-d]
[-e]
Display or manipulate user-level Trust Settings. With no arguments, shows the current state of the user-level Trust Settings enable. Otherwise enables or disables user-level Trust Settings.

Options:

-d

Disable user-level Trust Settings.

-e

Enable user-level Trust Settings.

trust-settings-export
[-s]
[-d]
settings_file
Export Trust Settings to the specified file.

Options:

-s

Export system Trust Settings; default is user.

-d

Export admin Trust Settings; default is user.

trust-settings-import
[-d]
settings_file
Import Trust Settings from the specified file. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required.

Options:

-d

Import admin Trust Settings; default is user.

verify-cert
[-c certFile]
[-r rootCertFile]
[-p policy]
[-C]
[-d date]
[-k keychain]
[-n name]
[-N]
[-L]
[-l]
[-e emailAddress]
[-s sslHost]
[-q]
[-R revCheckOption]
[-P]
[-t]
[-v]
[url]
Verify one or more certificates. If a direct URL argument is provided, a TLS connection is attempted and the certificate presented by that server is evaluated according to standard SSL server policy; other certificates or policy options will be ignored in this case.

Options:

-c certFile

Certificate to verify, in DER or PEM format. Can be specified more than once; leaf certificate has to be specified first.

-r rootCertFile

Root certificate, in DER or PEM format. Can be specified more than once. If not specified, the system anchor certificates are used. If one root certificate is specified, and zero (non-root) certificates are specified, the root certificate is verified against itself.

-p policy

Specify verification policy (ssl, smime, codeSign, IPSec, basic, swUpdate, pkgSign, eap, appleID, macappstore, timestamping). Default is basic.

-C

Specify this evaluation is for client usage, if the verification policy (e.g. ssl) distinguishes between client and server usage. Default is server usage.

-d date

Date to set for verification. Specified in the format of YYYY-MM-DD-hh:mm:ss (time optional). e.g: 2016-04-25-15:59:59 for April 25, 2016 at 3:59:59 pm in GMT

-k keychain

Keychain to search for intermediate CA certificates. Can be specified multiple times. Default is the current user’s keychain search list.

-n name

Specify a name to be verified, e.g. the SSL host name for the ssl policy, or RFC822 email address for the smime policy. For backward compatibility, if the -n option is provided without an argument, it will be interpreted as equivalent to -N.

-N

Avoid searching any keychains.

-L

Use local certificates only. If an issuing CA certificate is missing, this option will avoid accessing the network to fetch it.

-l

Specifies that the leaf certificate is a CA cert. By default, a leaf certificate with a Basic Constraints extension with the CA bit set fails verification.

-e emailAddress

Specify email address for the smime policy. (This option is deprecated; use -n instead.)

-s sslHost

Specify SSL host name for the ssl policy. (This option is deprecated; use -n instead.)

-q

Quiet, no stdout or stderr.

-R revCheckOption

Specify a revocation checking option for this evaluation (ocsp, require, offline). Can be specified multiple times; e.g. to enable revocation checking via the OCSP method and require a positive response, use “-R ocsp -R require”. The offline option will consult previously cached responses, but will not make a request to a revocation server.

-P

Output the constructed certificate chain in PEM format.

-t

Output certificate contents as text.

-v

Specify verbose output, including per-certificate trust results.

Examples

security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl -n store.apple.com

security> verify-cert -r serverbasic.crt

security> verify-cert -v https://www.apple.com

authorize
[-updPiew]
[right…]
Authorize requested right(s). The extend-rights flag will be passed by default.

Options:

-u

Allow user interaction.

-p

Allow returning partial rights.

-d

Destroy acquired rights.

-P

Pre-authorize rights only.

-l

Operate authorization in least privileged mode.

-i

Internalize authref passed on stdin.

-e

Externalize authref to stdout

-w

Wait while holding AuthorizationRef until stdout is closed. This will allow client to read externalized AuthorizationRef from pipe.

Examples

security> security authorize -ud my-right

Basic authorization of my-right.

security> security -q authorize -uew my-right | security -q authorize -i my-right

Authorizing a right and passing it to another command as a way to add authorization to shell scripts.

authorizationdb
read <right-name>

authorizationdb
write <right-name> [allow|deny|<rulename>]

authorizationdb
remove <right-name>
Read/Modify authorization policy database. Without a rulename write will read a dictionary as a plist from stdin.

Examples

security> security authorizationdb read system.privilege.admin > /tmp/aewp-def

Read definition of system.privilege.admin right.

security> security authorizationdb write system.preferences < /tmp/aewp-def

Set system.preferences to definition of system.privilege.admin right.

security> security authorizationdb write system.preferences authenticate-admin

Every change to preferences requires an Admin user to authenticate.

execute-with-privileges
<program>
[args…]
Execute tool with privileges.
On success stdin will be read and forwarded to the tool.

leaks
[-h]
[-cycles]
[-nocontext]
[-nostacks]
[-exclude symbol]
Run
/usr/bin/leaks
on this process. This can help find memory leaks after running
certain commands.

Options:

-cycles

Use a stricter algorithm (See
leaks(1)
for details).

-nocontext

Withhold the hex dumps of the leaked memory.

-nostacks

Don’t show stack traces of leaked memory.

-exclude symbol

Ignore leaks called from
symbol.

smartcards
token
[-l]
[-e token]
[-d token]
Enable, disable or list disabled smartcard tokens.

Options:

-l

List disabled smartcard tokens.

-e token

Enable smartcard token.

-d token

Disable smartcard token.

To list tokens available in the system

pluginkit -m -p com.apple.ctk-tokens

Examples

security smartcards token -l

security smartcards token -d com.apple.CryptoTokenKit.pivtoken

security smartcards token -e com.apple.CryptoTokenKit.pivtoken

list-smartcards
Display
ids of available smartcards.

export-smartcard
token
[-i id]
[-t certs|privKeys|identities|all]
[-e exportPath]
Export/display items from a smartcard. If
id
isn’t provided, items from all smartcards will be displayed.

Options:

-i id

Export/display items from token specified by token
id, available
ids can be listed by list-smartcards command.

-t certs|privKeys|identities|all

Display items of the specified type (Default:
all)

-e exportPath

Specify path to export certificates and public keys. If
exportPath is specified screen output is suppressed. This option cannot be combined with -t option.

error
[-h]
[<error code(s)…>]
Display an error string for the given security-related error code.
The error can be in decimal or hex, e.g. 1234 or 0x1234. Multiple
errors can be separated by spaces.

ENVIRONMENT

MallocStackLogging

When using the
leaks
command or the
-l
option it’s probably a good idea to set this environment variable before
security
is started. Doing so will allow leaks to display symbolic backtraces.

FILES

~/Library/Preferences/com.apple.security.plist

Property list file containing the current user’s default keychain and keychain search list.

/Library/Preferences/com.apple.security.plist

Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as system daemons.

/Library/Preferences/com.apple.security-common.plist

Property list file containing the common keychain search list, which is appended to every user’s search list and to the system search list.

SEE ALSO

certtool(1),
leaks(1),
pluginkit(8)

HISTORY

security
was first introduced in Mac OS X version 10.3.

BUGS

security
still needs more commands before it can be considered complete.
In particular, it should someday supersede both the
certtool
and
systemkeychain
commands.

Darwin – March 15, 2017