Remove private key from Mac OS X keychain using Terminal

macos terminal keychain codesign
Benjamin picture Benjamin · Oct 6, 2011 · Viewed 32.9k times · Source

I've imported a developer identity (certificate + private key) for iOS development to a keychain using the "security" Terminal application with the command

security import identity.p12 -k <keychain> -P <passphrase>

This imports both items included in the p12 file, certificate and private key, into the given keychain. I forgot to specify -T /usr/bin/codesign, however, which adds the codesign application to the access list of the private key. I've tried to add the codesign app to the access list to no avail:

  • I've tried to re-import the identity with the added parameter but that does not seem to change the access list of the private key.
  • I've also tried deleting the certificate from the keychain using security delete-certificate and re-importing. This does not change the access list of the private key.

Since I only have ssh access to the machine, using the Keychain GUI application won't work. Therefore I'm looking for a way to delete the private key from the keychain (so that I can re-import the identity afterwards). I've checked the man page of the security tool but did not find a means to delete a private key.

Is there any way you can remove a private key from a keychain using Terminal commands only (as I do only have ssh access to the machine in question)?

Answer

Erik picture Erik · Oct 12, 2011

There are several keychains on your system:

sudo security list-keychains
"/Users/JonDoe/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"

I think you imported it into the System-Keychain: First make a backup of your System Root Certificates before making any changes (or any other keychain you choose):

cd /System/Library/Keychains/
sudo cp SystemRootCertificates.keychain SystemRootCertificates.keychain.old

List all keychains / all certificates in your keychain:

ls -l /System/Library/Keychains/
sudo security dump-keychain /System/Library/Keychains/SystemRootCertificates.keychain

With the second command each certificate of the keychain is shown. Identify the certificate you want to remove. Then remove the certificate with the following command:

sudo security delete-certificate -Z <SHA-1 hash of certificate> /System/Library/Keychains/SystemRootCertificates.keychain
**alternative:**
sudo security delete-certificate -c <common name of certificate> /System/Library/Keychains/SystemRootCertificates.keychain

That's all. Now you can import your certificate again. In case of an error, you can restore your keychain with the following command:

sudo security import certificate_files_backup -k /System/Library/Keychains/SystemRootCertificates.keychain -t cert

Related questions

How do I edit $PATH (.bash_profile) on OSX?

I am trying to edit an entry to PATH, as I did something wrong. I am using Mac OS X 10.10.3 I have tried: > touch ~/.bash_profile; open ~/.bash_profile But the file editor opens with nothing inside. My problem: …

Read More
Open terminal here in Mac OS finder

Is there something similar to the "Open Command Window Here" Windows Powertoy for Mac OS? I've found a couple plugins through a google search but wanted to see what works best for developers out there.

Read More
Git is not working after macOS Update (xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools)

I updated to macOS Mojave (this happens to Catalina update too). This morning I navigated to my work's codebase in the Command Line on my MacBook pro, typed in "git status" in the repository and received the error: xcrun: error: …

Read More