I have iphone 13, but downloading the single .pfx certificate didn't show any option to install it, the guides on the internet suggest mailing it, so I've tried sending it to my gmail but that also doesn't show any option, how do I do it?

I need one of the root CA certificates, as a filename, to pass to a command-line program. I could download it from DigiCert (and convert it to the required format, .crt) manually, but I figure it's easier to just use the CA that OS X must already have. It's a common certificate, and all my Linux servers already have it, for example. In the "Keychain Access" app, the correct certificate does exist, but I can't find anything that says where it lives. Do these CAs exist in the filesystem, or only in an opaque proprietary format for OS X APIs?

I have two apps both associated with the same development team, and I've gotten notifications for both of them that Your iOS Distribution Certificate will no longer be valid in 30 days. I got these notifications for the two apps on separate days. I followed the instructions on [this page](https://www.idownloadblog.com/2020/08/26/how-to-generate-new-apple-developer-distribution-certificate/) and generated a new .p12 file, and now on developer.apple.com under Certificates, Identifiers & Profiles there's a new iOS Distribution Certificate for our team. **What I Want To Know:** Do I need to take separate actions for each app, or is this all I need to do?

I generated a new Apple Distribution Certificate for my React Native project because I got an email saying my old one was going to expire. It appears to be in my keychain: but when I try to upload my app to the app store, it shows this error: and when I click Manage Certificates it shows this: **What I Want To Know:** How do I make sure that my new certificate is in my keychain such that Xcode detects it and doesn't show this error?

According to Apple , > With Safari 5 through 5.1.7, a lock icon appears near the top right > corner [only] if all of the webpage's content uses a secure connection. That's all very well, but normally to view the SSL/TLS certificate for a webpage serving content over HTTPS, one would click the padlock icon. Because the icon is not present on pages that serve only *some* of their content over SSL/TLS, there ought to be another way to view the certificate, but what is it?

I use three Macs for development of a web application. On each of the Macs (macOS 14.4) I used mkcert to install a local CA and to issue developer certificates (all separately). Accessing the web app with https://localhost:8080 works fine on two Macs with all browsers, but on one Mac Safari claims to have another root CA for localhost which it does not trust. And I cannot override the trust settings. Using Keychain Access I do not find this certificate. Safari shows it like this: Scrolling down I can see DNS Names localhost, localhost.localdomain and lvh.me, so I suspect it is a leftover from trying to install a root CA before using mkcert. The mkcert certificate looks like this and I can see it in the System keychain: So Safari complains and I cannot tell it to trust the server certificate as the CA does not fit (I think). Firefox and Chrome open the website just fine after warning me and me telling them to do so. I tried to find the wrong CA using Keychain Access and Terminal (security find-certificate -a -c localhost, security find-certificate -a -c lvh...) but in vain. Where can I find this certificate and how can I delete it?

My program works as follows In a while loop, it checks for the active window change - AppKit library used from AppKit import NSWorkspace active_window = (NSWorkspace.sharedWorkspace().activeApplication()['NSApplicationName']) if the active window changes to from some other window to google chrome, I need get the url from the chrome's current tab using apple script as : url="""tell application "System Events" tell application "Google Chrome" to get the URL of the active tab of window 1 as string end tell""" This script is running fine, I can able to get the current window name and also url I need to know which kind of identifier, provisioning profile, certificate should be used for the same Im confused of choosing the certificate I don't have any idea if I need to have a provisioning profile Im not going to place this app in mac app store, I just wanted to use this app to support another electron application Any help is appreciated

I recently installed an 802.1x EAP-TTLS profile on my Macbook (Sequoia 15.4.1) using a .mobileconfig file. The profile came along with two CA certificates. After installing the bundle, I can successfully connect to my work's Wifi network. I can also see the added certificates on Keychain Access. However, I didn't want to keep these certificates active for Safari, so I tried to delete them from the keychain while keeping the 802.1x settings. Surprisingly, the Wifi connection still works, without the certificates in the keychain: Does MacOS keep a copy of the certificates only for the 802.1x settings? Would they be still trusted in for example, Safari, even after removing them from the keychain?

I have some elderly, unsupported Mac apps, and I followed the steps in this Stack Overflow article to retrieve their code-signed certificates and check their expiry dates. This copied 3 certificates to a new location. The first ("Developer ID") has an expiry date of 25 February, 2022 (which has passed); yet the app still launches without complaint. The second ("Developer ID Certification Authority") is dated 1st Feb 2027; and the third is Apple's root certificate, due to expire 9 February 2035. My questions are: Why didn't the app stop working (or why did the OS not flag any issue) in 2022? Will it stop working in either 2027 or 2035 (all other things being equal), without some kind of manual intervention, such as ad-hoc local signing?

I have a website running on nginx webserver. It uses optional SSL client vertification by certificate. I also have a certificate issued by proper CA added to my keychain "Login" (I am not actually sure of its name since my OS language is not English). When I go to that site using other browsers than Safari (tried Orion and Chrome), it asks for certificate right away, but Safari does not. Also, by toggling "Lock keychain after xxx minutes" option I managed to make Safari to ask for certificate for one of the 3rd level domains on my site, but not for the other. Client certificate authentication works well with other browsers so I assume there is nothing wrong server-side as certificate is being recognized and accepted, and my best guess is - something is wrong with Safari. Cleaning site settings doesn't seem to have any effect too. Why Safari doesn't want to use certificate sometimes? I guess if set SSL client verification to be required, it is going to solve the problem, but for some unrelated reasons I cannot do that. Update: while I was writing that, I let safari so do nothing and think of its behavior I assume. Next time I reloaded page, it asked for certificate from keychain. Although now it behaves as I expect, its behavior is still somewhat erratic.

I am trying to have Safari stop preventing me from visiting one of my dev machines with an invalid cert. I am trying to use the solution in this thread but install it using the CLI: security add-trusted-cert -r trustRoot -k ~/Library/Keychains/login.keychain-db /tmp/test.cert I am still receiving the "Safari Can't Open the Page because Safari can't establish a secure connection to the server" error. I want it to be applied to the user so I don't want to do the -d flag. And I know I am correctly downloading the cert because if I add the certificate and trust it through the OSX GUI, it works fine. Another interesting note is that this solution works for my Brave and Firefox browsers, so it's just Safari that is giving me grief, but even safari works when I add the downloaded cert via the GUI.

My workflow involves changing a cert installed in the system's trust states between 'Use Custom Settings' and 'Never Trust' (see the Keychain Access screenshot below). How do I do this from command line?

I have a certificate and/or private key file (pfx) on my OS X desktop. I'd like to look at its information (CN, SAN, OU, thumbprint, etc) but when I double click on it, it attempts to install into my Keychain. Once its in there, I can see the info and then delete it. I would like to know if there is a way to "open" a certificate for viewing without having to install it into your Keychain. Similar to how you can click on the padlock in Safari and see the cert info. I'd prefer something native to OS X but maybe there are tools out there too?

I would like to use our company's iPhones in the office network. In order to reduce maintenance work, we use an internal PKI with a CA that issues long-living certificates (10 years or so). In order for the devices to trust those certificates, we install the CA's certificate on all our client devices. This is working fine for Windows devices, for Linux devices and also for Android devices. Unfortunately, this does not work for iPhones (iOS 18.2.1). Safari just refuses to navigate to the internal websites and the Chrome browser shows an error message that the certificate lifetime is too long. I know there's a restriction on the certificate's validity times introduced by the CA/Browser Forum to ensure that information in certificates are not outdated, but that document clearly targets publicly trusted TLS certificates. All major browser manufacturers and OSes apply this restrictions only to certificates issued by CAs included on their stock trusted CA list. Manually added CAs are not affected by this limitation. I think, also Apple (being a member of the CA/B Forum) implemented certificate trust it this way (though I'm not absolutely sure). But for some reason, this seems not to be the case anymore. ### Is this behavior intended? If so: - Why did Apple change this policy? - Is there some statement from them? - Is there an option to disable that behavior and switch back to the old rules? ### Or is this a bug in the current iOS version? If so: - is there some update or fix that can be applied? - Does anyone know, if it will be fixed in the next release?

I have (belatedly, I admit) upgraded an older Mac mini server (running Mac OS X High Sierra) with the last security update (2020-something). It now seems to hang at boot: But, this seems not to be the case, as from the outside, it can be reached, so the OS seems to be running:

% nc -v -z 192.168.2.67 1-1000 2>&1 | grep succeeded
Connection to 192.168.2.67 port 22 [tcp/ssh] succeeded!
etc.

After some investigation it turns out WindowServer won't start because it isn't signed properly (system.log):

(com.apple.WindowServer): Binary is improperly signed

It will start in safe mode, but what I need doesn't work then. I suspect the security update requires code signed binaries, but the certificate chain is seriously out of date. Probably I need to (command line) make sure it trusts the signature nonetheless. So, is there a way to get around this? I only need the system for one task and shortly, I do not mind the signing doesn't work. But I can't use safe mode, it seems.

When I start a new Mac OS system from scratch, inside the keychain application I notice there are 3 certificates that are not trusted or not verified yet. I know I can double click each one of them and make them trusted for the entire system. But my question is what are those certificates for? What is the purpose of these certificates and should I make them trusted? or not? One certificate is located inside the Keychain under the Login section: **member: xxxxx-xxxxx-xxxx-xxxx-xxxxxx** (expire in one year from the current date) (this certificate has not been verified by a third party) The other 2 certificates are located inside the Keychain under the System section: **com.apple.kerberos.kdc** and **com.apple.systemdefault** (expires in 2040) (this certificate has not been verified by a third party.)

I have difficulty reaching various secure web sites. They give me a certificate expired error. They work on Firefox but not Safari or Chrome. They also work on newer versions of macOS (e.g. Catalina, Big Sur). This seems to be because Safari and Chrome use the OS root certificate store and Firefox uses its own, and El Capitan is not being updated. From here there are: * Trusted certificates establish a chain of trust that verifies other certificates signed by the trusted roots — for example, to establish a secure connection to a web server. When IT administrators create Configuration Profiles, these trusted root certificates don't need to be included. * Always Ask certificates are untrusted but not blocked. When one of these certificates is used, you'll be prompted to choose whether or not to trust it. * Blocked certificates are believed to be compromised and will never be trusted. There is a list of fingerprints of the current certificates there, but no downloadable bundles of certificates. How do I update my root certificates on an older version of OS X 10.11

I have several digital certificates installed in my computer running macOS and stored on my keychain. Certain websites (normally from Spanish government) require user identification through these certificates. Whenever I log in a website or service using any of my certificates, that is stored as an identity preference in the keychain. The same certificate is used again without asking when I log in the same site again. This is inconvenient, because if I need to use a different certificate, I must go to keychain, delete the identity preference and restart Safari in order to be offered the choice of certificate again. Does anyone know how to stop keychain or Safari from storing identity preferences? Do you know of any workaround?

I exported the pkcs12 file which contains the Apple Distribution Certificate with the Private Key on macOS Sonoma 14 with no password. I was able to import the same on different macOS Sonoma 14 machines as follows:

-console
security import \
  apple-distribution-hrk.p12 \
  -k /Users/hrk/Library/Keychains/non-default.keychain-db \
  -f pkcs12 \
  -P "" \
  -A

But when upgraded to macOS Sequoia 15.0 (24A335), running the above command gives me the following error:

-console
security: SecKeychainItemImport: The user name or passphrase you entered is not correct.

#### Workaround I didn't have the Private Key of the original macOS Sonoma 14 from which the pkcs12 file was exported. So, I had to create the new Certificate by uploading the Certificate Signing Request, download the .cer file, import it, and then export the pkcs12 file with some password. Then I was able to import the pkcs12 file with the password. #### Question I couldn't find any reference to this Breaking Change in the Release Notes of macOS Sequoia 15.0 (24A335) . Can somebody point to the official documentation that refers to this Breaking Change? Or is this the bug in macOS Sequoia 15.0 (24A335)? #### References - Apple Developer Forums Post: [764429] - Filed the Feedback: FB15250516 #### Edits This bug still exists in the following updates: - macOS Sequoia 15.0.1 (24A348)

Safari suddenly can't connect to any HTTPS site because it "can't establish a secure connection". This is on an administrator account, not a managed account. A different administrator account is able to use Safari with HTTPS, so must be something specific to my account, but I have no idea what. Google Chrome has no problems connecting to HTTPS sites. Things I have tried: * emptied Safari's cache * deleted Safari's preferences * reset Safari entirely * repaired Keychain (no errors found) * deleted Keychain (didn't help) * repaired permissions in Disk Utility * rebooted * hoped it would suddenly fix itself All of the google results I saw suggested either repairing the Keychain (which I tried and which did not help) or were only applicable if there were "Parental Controls" involved, which doesn't apply here. If I had to guess, I would think that wherever Safari is checking for "certificates" is somehow corrupted, but I could be wrong. I'm not even sure where to look for those - maybe ~/Library/?