is there a command or UI I can use to test certificates or diagnose why they aren't valid?
A while back Apple changed the requirements for TLS certificates, and announced dates from when those changes would take effect. For example not accepting certificates that last longer than 865 days, requiring extended attributes, etc.
If I use such a certificate, Chrome/Safari don't tell me why it isn't considered invalid if it's an Apple enforced reason such as the ones above.
It'd be great to have a go-to debugging step that'll tell me if a certificate is or isn't good that includes the Apple restrictions.
Clarification: I'm not interested in generating certificates or how to code them. I just want to know how to test if a given certificate is valid on a MacOS system using the terminal or some other OS UI
Best Answer
So it turns out there is an OS level tool,
security
For example, I can test if a certificate
ca.crt
is valid like this:Here's what a valid certificate will look like:
And here's a certificate with a 10 year expiration that violates Apples rules, but is otherwise valid according to OpenSSH: