Example for Mac OS X security delete-certificate -c <name>?

Question

Short version: Please provide an example for security delete-certificate -c <name> ... (I tried security delete-certificate -c "Foo Certification Authority" and I tried wild cards.)

Long version:

What I'm trying to do: replace or overwrite an existing certificate.

Can someone provide an example of using security to get the "name" of a certificate and then using security delete-certificate -c <name> to delete it? I've tried a few things for <name> but haven't yet been able to give it something that matches the certificate that I want to remove.

Alternatively, if I use security add-trusted-cert -d -r trustRoot -k <keychain> <certificate> will that simply overwrite any existing certificate with the same name? If this is the case, then I guess I won't need to know how to delete the old one by name.

(I prefer dealing with the name instead of the SHA because it makes things more human-readable)

Answer 1

This answer, is almost verbatim from the stack apple site:

*Backup keychain before trying anything.

Listing root certificates:

sudo security dump-keychain /System/Library/Keychains/SystemRootCertificates.keychain

Look in the dump for names or SHA-1 hash values of certificates that you want to get rid of:

Usage: delete-certificate [-c name] [-Z hash] [-t] [keychain...]

-c  Specify certificate to delete by its common name
-Z  Specify certificate to delete by its SHA-1 hash value
-t  Also delete user trust settings for this certificate The certificate to be deleted 

must be uniquely specified either by a string found in its common name, or by its SHA-1 hash. If no keychains are specified to search, the default search list is used.

For example you could delete this chinese root certificates using this command:

sudo security delete-certificate -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain

I think the -Z hash method is probably safer and would recommend doing it that way. The question you had about overwriting the certs is complicated because depending on the cert it's often not a one command takes care of all scenario. There's a post on the apple site with included screencasts of different ways to use (and not use) security and keychain.

Answer 2

Here's a method I use to purge old user certificates based on a certificate's common name.

In my particular case, my Mac user's are bound to Active Directory and they have "user certificates" installed.

The certificate's common name is the user's name, but not the user's "username".

In my environment, usernames are first.last.

So first, I get the path to the user's login.keychain and strip off the surrounding quotes then I pipe that into a string variable called "$Keychain_Name".

My script then retrieves the certificate's common name by fingering the currently logged in user, grepping for the "Name:" field and using awk to grab the desired info (First Last). That gets piped into the string "$Common_Name".

I then use security delete-certificate with the two string variables and voila, cert removed!

Script below...

#!/bin/sh

# CLEAR SCREEN
clear

echo "######################################################################"
echo "# Certificate Removal Script"
echo "# Written by Caine Hörr"
echo "# Written on Wednesday, July 17, 2013"
echo "# Last updated by Caine Hörr"
echo "# Last updated on Wednesday, July 17, 2013"
echo "######################################################################"
echo

echo
echo "Gathering Keychain Info"
Keychain_Name=$(security list-keychains | grep $(echo $USER) | tr -d '"')

echo
echo "Gathering Certificate Common Name Info"
Common_Name=$(finger $(echo $USER) | grep "Name:" | awk '{ print $4, $5 }')

echo
echo "Deleting Certificate $Common_Name from $Keychain_Name"
security delete-certificate -c "$Common_Name" $Keychain_Name

echo
echo "Process Complete"
exit

Hope this gives you some food for thought!