I'm trying to write a script that will list all installed certificates in the keychain and compare them to the creation/expiration dates of certificates from the Apple dev portal.
I've looked at the documentation for security
( https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html ) and openssl
, but I can't seem to pass a cert from one to the other.
The alternative is to use the Security.framework
directly, but I don't see any obvious method for dumping the creation/expiry dates for certificates.
Any guidance?
In the Keychain Access app on Mac, select a keychain, then click either the My Certificates category or the Certificates category to see the certificates in that keychain.
In macOS, certificates are part of your digital identity and are stored in your keychain. Keychain Access lets you manage your certificates and keychains. Certificates are issued by trusted organizations, such as VeriSign, Inc., or RSA Data Security, Inc.
Keychain Access lets you view the keys, certificates, passwords, account information, notes, or other information stored in a keychain. In the Keychain Access app on your Mac, if you don't see a list of keychains, choose Window > Keychain Viewer or press Command-1.
android.security.KeyChain. The KeyChain class provides access to private keys and their corresponding certificate chains in credential storage. Applications accessing the KeyChain normally go through these steps: Receive a callback from an X509KeyManager that a private key is requested.
At the command line, I think you could do security find-certificate -a -p
and then split up the returned PEM-encoded certificates to feed them to openssl x509 -inform PEM ....
one by one.
In code, you can enumerate certificates using SecItemCopyMatching
with kSecClass
=kSecClassCertificate
and kSecMatchLimit
=kSecMatchLimitAll
. You might be able to get the certificate's expiration date using SecCertificateCopyValues()
, but if not, you could get the certificate itself (as a DER-encoded blob) using SecCertificateCopyData()
and pipe it to openssl x509 -inform DER ....
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With