OSX: Export system certificates from keychain in PEM format programmatically

Question

How can I extract all root CA certificates from all the keychains on OSX programmatically in pem format?

Keychain programming services should allow this but how?

Any help would be appreciable.

Answer 1

security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >certs-roots.pem
security find-certificate -a -p /Library/Keychains/System.keychain >certs-system.pem
security find-certificate -a -p ~/Library/Keychains/login.keychain-db >certs-user.pem

BTW: You can see those paths in Keychain Access when you hover over the Keychains list (top/left).

You can combine system and user pems by using the default certificate source

security find-certificate -a -p >certs.pem

This is super useful for node.js, when you want to use require('https').request on typical corporate internal stuff without having to resort to hacks like accepting any certificate without checking. You don't need to include the system roots since nodejs has you covered already for those.

NODE_EXTRA_CA_CERTS=certs.pem node

Answer 2

Answering my own question: On OSX you can invoke a NSTask to get response from the security command line utility:

security find-certificate -a -p /System/Library/Keychains/SystemCACertificates.keychain > allcerts.pem