I need one of the root CA certificates, as a filename, to pass to a command-line program. I could download it from DigiCert (and convert it to the required format, .crt) manually, but I figure it's easier to just use the CA that OS X must already have. It's a common certificate, and all my Linux servers already have it, for example.
In the "Keychain Access" app, the correct certificate does exist, but I can't find anything that says where it lives.
Do these CAs exist in the filesystem, or only in an opaque proprietary format for OS X APIs?
Best Answer
The root CAs are stored in:
/System/Library/Keychains/SystemCACertificates.keychain /System/Library/Keychains/SystemRootCertificates.keychain
Yes, these are OS X keychain files which are opaque, though not necessarily proprietary. You could theoretically use OS X's Keychain Services APIs to get at the certificate data inside the keychain file, but that might be overkill.
If you want a tangible copy of any of the root CA certificates, just select it in Keychain Access, and drag them to the Desktop to make a copy of them in .cer format.
(You can also use Quick Look in the Finder to preview the certificate info).