Default macOS certificates not trusted and not verified by third party

certificatedefaultsmojave

When I start a new Mac OS system from scratch, inside the keychain application I notice there are 3 certificates that are not trusted or not verified yet. I know I can double click each one of them and make them trusted for the entire system.

But my question is what are those certificates for? What is the purpose of these certificates and should I make them trusted? or not?

One certificate is located inside the Keychain under the Login section: member: xxxxx-xxxxx-xxxx-xxxx-xxxxxx (expire in one year from the current date) (this certificate has not been verified by a third party)

The other 2 certificates are located inside the Keychain under the System section: com.apple.kerberos.kdc and com.apple.systemdefault (expires in 2040) (this certificate has not been verified by a third party.)

Best Answer

com.apple.kerberos.kdc is a self-signed key used for Kerberos authentication when you log into another Mac in your local area network, log into Back To My Mac, log into iCloud or MobileMe, or use Apple screen sharing.

It is necessary for automatic negotiation and encryption of the username and password for these functions. It's not signed by a CA because it's not unique to a particular computer, which is why it's "not trusted". If you delete it, you will not be able to automatically log in to any of those services, even if you tell the system to remember your username and password in the Keychain.

I believe, though I'm not sure, that com.apple.systemdefault is used to automatically log you on to the computer if you have automatic login available. It also isn't signed by a CA because it's the generic encryption key that is used to protect your system password. Deleting this certificate could cause problems with logging on to your compute; I recommend leaving it alone.

In addition, regarding your first query check this two blog:

https://eclecticlight.co/2019/04/01/back-to-school-studentd-and-classroom-in-mojave-10-14-4/

https://eclecticlight.co/2019/03/30/mojave-10-14-4s-strange-new-security-certificate/

Although run from a system LaunchAgent property list, studentd is run as the user from login. If you log into a user account which doesn’t yet have one, it creates a security certificate in that user’s login keychain, with a name starting with ‘member:’ followed by two UUIDs. The first of these is that user’s UserIdentifier given in ~/Library/studentd/AdHocConfiguration.plist, thus is that student’s identifier for the purposes of studentd. That certificate isn’t trusted, but trust is obtained later if the user connects that Mac to a Classroom system.

Also, note from Apple:

Apple also confirms that it’s related to studentID and classroom.app. Also that is won’t be generated in future versions of macOS.

It’s Apple software and doesn’t appear to have any impact on your Mac. I hope that solves the mystery for you and reassures you that it isn’t anything more sinister.

Best Answer

Related Solutions

MacOS – How to delete or untrust all root certificates in OSX

MacOS – Mac OS X (10.9) and 8192 bit certificates – Error -67762

Related Question