# security — Manage Keychains and Certificates

> Practical guide to the macOS security tool — manage passwords, certificates, signing identities and keychains from the terminal.

Source: https://www.jpkc.com/db/en/cheatsheets/macos/security/

<!-- PROSE:intro -->
The `security` command is the command-line interface to the macOS keychains. With it you query, create or delete passwords, certificates, keys and code signing identities – all from the terminal, without ever opening the graphical Keychain Access app. That makes it ideal for scripts, CI builds and code-signing workflows. This guide walks you through the subcommands you reach for daily: from keychain handling through password and certificate management to code signing and trust chains.
<!-- PROSE:intro:end -->

## Keychain Management

`security list-keychains` — List all keychains in the search list.

```bash
security list-keychains
```

`security default-keychain` — Show the default keychain.

```bash
security default-keychain
```

`security create-keychain <name>` — Create a new keychain.

```bash
security create-keychain mykeys.keychain-db
```

`security delete-keychain <name>` — Delete a keychain.

```bash
security delete-keychain mykeys.keychain-db
```

`security lock-keychain` — Lock the default keychain.

```bash
security lock-keychain
```

`security unlock-keychain <name>` — Unlock a keychain (prompts for password).

```bash
security unlock-keychain login.keychain-db
```

## Passwords

`security find-generic-password -s '<service>' -w` — Find and print a password by service name.

```bash
security find-generic-password -s 'MyApp' -w
```

`security find-generic-password -a '<account>' -s '<service>' -w` — Find a password by account and service.

```bash
security find-generic-password -a 'admin' -s 'MyDatabase' -w
```

`security add-generic-password -a '<account>' -s '<service>' -w '<password>'` — Add a password to the keychain.

```bash
security add-generic-password -a 'admin' -s 'MyDatabase' -w 'secret123'
```

`security delete-generic-password -s '<service>'` — Delete a password from the keychain.

```bash
security delete-generic-password -s 'MyApp'
```

`security find-internet-password -s '<server>' -w` — Find an internet password (stored by browsers, etc.).

```bash
security find-internet-password -s 'github.com' -w
```

`security add-internet-password -a '<account>' -s '<server>' -w '<password>'` — Add an internet password to the keychain.

```bash
security add-internet-password -a 'user@example.com' -s 'mail.example.com' -w 'pass123'
```

## Certificates

`security find-certificate -a` — List all certificates in the default keychain.

```bash
security find-certificate -a
```

`security find-certificate -c '<name>' -p` — Find and export a certificate by common name (PEM format).

```bash
security find-certificate -c 'Apple Development' -p
```

`security import <file> -k <keychain>` — Import a certificate or key into a keychain.

```bash
security import cert.p12 -k login.keychain-db
```

`security import <file> -k <keychain> -T /usr/bin/codesign` — Import and allow codesign to use the certificate.

```bash
security import cert.p12 -k login.keychain-db -T /usr/bin/codesign
```

`security export -k <keychain> -t certs -o <file>` — Export all certificates from a keychain.

```bash
security export -k login.keychain-db -t certs -o certs.pem
```

## Code Signing

`security find-identity -v -p codesigning` — List valid code signing identities.

```bash
security find-identity -v -p codesigning
```

`security find-identity -v` — List all valid identities.

```bash
security find-identity -v
```

`security cms -D -i <file>` — Decode a signed CMS message.

```bash
security cms -D -i signed.p7
```

## Trust & Verification

`security verify-cert -c <cert>` — Verify a certificate's trust chain.

```bash
security verify-cert -c cert.pem
```

`security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <cert>` — Add a trusted root certificate system-wide.

```bash
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca-cert.pem
```

`security remove-trusted-cert -d <cert>` — Remove a trusted certificate.

```bash
sudo security remove-trusted-cert -d ca-cert.pem
```

`security dump-trust-settings` — Show trust settings for certificates.

```bash
security dump-trust-settings
```

<!-- PROSE:outro -->
## Conclusion

The `security` tool bundles full keychain access into a single command, making it indispensable whenever passwords, certificates or signing identities need to be managed programmatically – for example in CI pipelines that sign app bundles. Be mindful of the sensitive parts, though: `find-generic-password -w` and `find-internet-password -w` print the password in **plain text** to the console, where it can easily end up in your shell history or CI logs. `delete-keychain` and the `delete-*-password` commands are irreversible, and an unlocked keychain stays open until you lock it again. So lock keychains once you are done, and pass `-w '<password>'` via a variable rather than spelling it out in the command line.

## Further Reading

- [Security Framework – Apple Developer](https://developer.apple.com/documentation/security) – official Apple documentation on keychains, certificates and trust
- [Keychain Services – Apple Developer](https://developer.apple.com/documentation/security/keychain-services) – background on the architecture of macOS keychains
<!-- PROSE:outro:end -->

## Related Commands

- [caffeinate](https://www.jpkc.com/db/en/cheatsheets/macos/caffeinate/) – prevent the Mac from going to sleep
- [defaults](https://www.jpkc.com/db/en/cheatsheets/macos/defaults/) – read and write macOS user preferences
- [diskutil](https://www.jpkc.com/db/en/cheatsheets/macos/diskutil/) – manage disks, volumes and partitions