MacOS – the macOS equivalent of Windows certificate store names

certificatekeychainmacos

On Windows, when retrieving information about certificates, they come from named certificate stores, such as "Trusted Root Certification Authorities" or "Trusted Publishers" – what is the equivalent on macOS?

My best guess is types of keychains, e.g. "login" or "System", but those are sufficiently different that I'm not sure. The names also don't seem to come with the certificates (when using SecItemCopyMatching in Swift, for example).

The context of why I need this: I've been asked to gather data about users' computers (so IT can see aggregate data), and most of the work was done for the Windows side of things before I got here. I'm trying to gather the same certificate data for macOS that is currently gathered for Windows. Most of it is easily obtained from both (e.g. the Subject, the Expiration), but the Windows code has a value called the Certificate Store that I don't readily see an analog for in macOS.

Best Answer

The equivalent on macOS is the Keychain name.

On Windows you have for example the "Current User Certificate Store". The corresponding on macOS would be the user's login keychain: ~/Library/Keychains/login.keychain-db. There's one for each user on the system, and stores the certificates relevant to that user only.

On Windows you have the "Local Machine Certificate Store" that holds certificates added by users to be accessed by all users on the local computer. The corresponding on macOS would be the System keychain: /Library/Keychains/System.keychain

On Windows you have the "Trusted Root Certification Authorities Certificate Store" that holds CA certificates trusted by the operating system in general. The corresponding on macOS is the System Root Certificates keychain: /System/Library/Keychains/SystemRootCertificates.keychain

You can list the certificates in each of those keychains by using the built-in security command. For example to get an overview list:

security find-certificate -a ~/Library/Keychains/login.keychain-db
security find-certificate -a /Library/Keychains/System.keychain
security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain

or to export the actual certificates in PEM format:

security find-certificate -a -p ~/Library/Keychains/login.keychain-db
security find-certificate -a -p /Library/Keychains/System.keychain
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain

The exception to the rule above is what is known as the "Trusted Publishers Certificate Store" in Windows - this is not stored in a Keychain on macOS, but instead in a system assessment rule database. The name of that is: /var/db/SystemPolicy

You can create a list of those with the following command:

sudo spctl --list --type execute

The output is a list of assessment rules, which besides a few generic, Apple specific rules, is basically a list of the hashes of the certificates of the trusted publishers.

The actual certificate information cannot be exported from the SystemPolicy database, as they're not contained there. You can however get to that data by traversing the installed applications (for example in /Applications) and running:

codesign -d -r- -vvvv /Applications/AnApp.app

This allows you to gather information such as the publisher's name, subject organisational unit, CA name (Apple Root CA) and timestamps.