security — Manage Keychains and Certificates

The security command is the command-line interface to the macOS keychains. With it you query, create or delete passwords, certificates, keys and code signing identities – all from the terminal, without ever opening the graphical Keychain Access app. That makes it ideal for scripts, CI builds and code-signing workflows. This guide walks you through the subcommands you reach for daily: from keychain handling through password and certificate management to code signing and trust chains.

Keychain Management

security list-keychains — List all keychains in the search list.

security list-keychains

security default-keychain — Show the default keychain.

security default-keychain

security create-keychain <name> — Create a new keychain.

security create-keychain mykeys.keychain-db

security delete-keychain <name> — Delete a keychain.

security delete-keychain mykeys.keychain-db

security lock-keychain — Lock the default keychain.

security lock-keychain

security unlock-keychain <name> — Unlock a keychain (prompts for password).

security unlock-keychain login.keychain-db

Passwords

security find-generic-password -s '<service>' -w — Find and print a password by service name.

security find-generic-password -s 'MyApp' -w

security find-generic-password -a '<account>' -s '<service>' -w — Find a password by account and service.

security find-generic-password -a 'admin' -s 'MyDatabase' -w

security add-generic-password -a '<account>' -s '<service>' -w '<password>' — Add a password to the keychain.

security add-generic-password -a 'admin' -s 'MyDatabase' -w 'secret123'

security delete-generic-password -s '<service>' — Delete a password from the keychain.

security delete-generic-password -s 'MyApp'

security find-internet-password -s '<server>' -w — Find an internet password (stored by browsers, etc.).

security find-internet-password -s 'github.com' -w

security add-internet-password -a '<account>' -s '<server>' -w '<password>' — Add an internet password to the keychain.

security add-internet-password -a 'user@example.com' -s 'mail.example.com' -w 'pass123'

Certificates

security find-certificate -a — List all certificates in the default keychain.

security find-certificate -a

security find-certificate -c '<name>' -p — Find and export a certificate by common name (PEM format).

security find-certificate -c 'Apple Development' -p

security import <file> -k <keychain> — Import a certificate or key into a keychain.

security import cert.p12 -k login.keychain-db

security import <file> -k <keychain> -T /usr/bin/codesign — Import and allow codesign to use the certificate.

security import cert.p12 -k login.keychain-db -T /usr/bin/codesign

security export -k <keychain> -t certs -o <file> — Export all certificates from a keychain.

security export -k login.keychain-db -t certs -o certs.pem

Code Signing

security find-identity -v -p codesigning — List valid code signing identities.

security find-identity -v -p codesigning

security find-identity -v — List all valid identities.

security find-identity -v

security cms -D -i <file> — Decode a signed CMS message.

security cms -D -i signed.p7

Trust & Verification

security verify-cert -c <cert> — Verify a certificate's trust chain.

security verify-cert -c cert.pem

security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <cert> — Add a trusted root certificate system-wide.

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca-cert.pem

security remove-trusted-cert -d <cert> — Remove a trusted certificate.

sudo security remove-trusted-cert -d ca-cert.pem

security dump-trust-settings — Show trust settings for certificates.

security dump-trust-settings

Conclusion

The security tool bundles full keychain access into a single command, making it indispensable whenever passwords, certificates or signing identities need to be managed programmatically – for example in CI pipelines that sign app bundles. Be mindful of the sensitive parts, though: find-generic-password -w and find-internet-password -w print the password in plain text to the console, where it can easily end up in your shell history or CI logs. delete-keychain and the delete-*-password commands are irreversible, and an unlocked keychain stays open until you lock it again. So lock keychains once you are done, and pass -w '<password>' via a variable rather than spelling it out in the command line.