How to export digital certificates on Mac

The Mac uses Keychain Access to manage the installed digital certificates. Keychain Access manages not only digital certificates, but also the following information.

  • Accounts (ID and Password)
  • Secret Memos
  • Degital certificates
  • Public keys
  • Private keys

This article describes how to export a digital certificate.

TOC

About export from the Xcode

Use Xcode to export certificates presented by the Apple Developer Program for use in iOS app development and other applications in bulk. For more information, please see the following article.

This article describes how to specify individual certificates for export instead of batch export.

How to export keys with private keys

To export the key the private key, do the following.

STEP
Launch “Keychain Access” in the “Utilities” folder in the “Applications” folder.
Keychain Access
Keychain Access
STEP
Select “login” from the “Default Keychains” on the left side.

Select “System” or “System Roots” for certificates originally installed on the system.

STEP
Select “Certificates” from the refinement.
STEP
Select the certificate to be exported.
Select the certificate
Select the certificate
STEP
Select “Export Items…” from the “File” menu.
STEP
Select the export location and enter the name.
STEP
Select the “Personal Information Exchange (.p12)” from the “File Format”.
Export dialog
Export dialog
STEP
When the password input dialog appears, enter the password and click the “OK” button.

The exported file will be encrypted with the password you entered.

Password input dialog
Password input dialog
STEP
When the authentication dialog appears, enter the administrator password and click the “Allow” button.
STEP
The certificate is exported to specified location.
Exported certificate
Exported certificate

Check to see if the key is included

Verify that the exported certificate contains the key. Since we have written out a certificate that contains a private key, we check to see if the written out certificate contains the private key. The certificate information is checked using openssl.

Run following command in the Terminal.

% openssl pkcs12 -in certificate -noout -info

For example, when the certificate file is Certificates.p12, then do as follows.

% openssl pkcs12 -in Certificates.p12 -noout -info
Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

You will find that the following two pieces of information are contained in the certificate.

  • Certificate bag (Certificate)
  • Shrounded Keybag (Key)

We have confirmed that both the certificate and the key are output.

How to export an X.509 certificate

Keychain Access can also export X.509 certificates. To export an X.509 certificate, select “Certificate (.cer)” from “File Format” in the Export dialog.

Export dialog
Export dialog
X.509 certificate
X.509 certificate

Check the contents of the exported X.509 certificate

Check that the exported X.509 certificate contains the selected certificate and public key. Use openssl to check.

% openssl x509 -inform der -noout -subject -in Certificates.cer

The output is then as follows.

subject= /UID=XXXXXXXXXX/CN=Apple Development: Akira Hayashi (0123456789)/OU=0123456789/O=Akira Hayashi/C=US

The name displayed in the keychain access matches the name written in the CN, so the selected certificate is exported. Also, when the following is executed, the public key in the certificate is output, and it can be confirmed that the public key is in the certificate.

% openssl x509 -inform der -noout -pubkey -in Certificates.cer
-----BEGIN PUBLIC KEY-----
(omit)
-----END PUBLIC KEY-----
Let's share this post !

Author of this article

Akira Hayashiのアバター Akira Hayashi Representative, Software Engineer

I am an application developer loves programming. This blog is a tech blog, its articles are learning notes. In my work, I mainly focus on desktop and mobile application development, but I also write technical books and teach seminars. The websites of my work and books are here -> RK Kaihatsu.

TOC