On Windows, when retrieving information about certificates, they come from named certificate stores, such as "Trusted Root Certification Authorities" or "Trusted Publishers" – what is the equivalent on macOS?
My best guess is types of keychains, e.g. "login" or "System", but those are sufficiently different that I'm not sure. The names also don't seem to come with the certificates (when using SecItemCopyMatching
in Swift, for example).
The context of why I need this: I've been asked to gather data about users' computers (so IT can see aggregate data), and most of the work was done for the Windows side of things before I got here. I'm trying to gather the same certificate data for macOS that is currently gathered for Windows. Most of it is easily obtained from both (e.g. the Subject, the Expiration), but the Windows code has a value called the Certificate Store that I don't readily see an analog for in macOS.
Best Answer
The equivalent on macOS is the Keychain name.
On Windows you have for example the "Current User Certificate Store". The corresponding on macOS would be the user's login keychain:
~/Library/Keychains/login.keychain-db
. There's one for each user on the system, and stores the certificates relevant to that user only.On Windows you have the "Local Machine Certificate Store" that holds certificates added by users to be accessed by all users on the local computer. The corresponding on macOS would be the System keychain:
/Library/Keychains/System.keychain
On Windows you have the "Trusted Root Certification Authorities Certificate Store" that holds CA certificates trusted by the operating system in general. The corresponding on macOS is the System Root Certificates keychain:
/System/Library/Keychains/SystemRootCertificates.keychain
You can list the certificates in each of those keychains by using the built-in
security
command. For example to get an overview list:or to export the actual certificates in PEM format:
The exception to the rule above is what is known as the "Trusted Publishers Certificate Store" in Windows - this is not stored in a Keychain on macOS, but instead in a system assessment rule database. The name of that is:
/var/db/SystemPolicy
You can create a list of those with the following command:
The output is a list of assessment rules, which besides a few generic, Apple specific rules, is basically a list of the hashes of the certificates of the trusted publishers.
The actual certificate information cannot be exported from the SystemPolicy database, as they're not contained there. You can however get to that data by traversing the installed applications (for example in
/Applications
) and running:This allows you to gather information such as the publisher's name, subject organisational unit, CA name (Apple Root CA) and timestamps.