Home > Mac administration, Mac OS X, Scripting > Adding new trusted root certificates to System.keychain

Adding new trusted root certificates to System.keychain

If you’re setting up a certificate authority for your organization, so that you can build and use PKI certificates in house, you need to make sure that your Macs are set to recognize that CA (and the certificates it uses) are trusted. One way to do that is to install new trusted root certificates as needed into /Library/Keychains/System.keychain, so that certificates issued by your CA are recognized and trusted by your Mac.

You can use the security command to install the trusted root into your Mac’s System.keychain (the trusted root .cer file is in this case stored in /private/tmp/certs.)

sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer"

add-trusted-cert = Add certificate (in DER or PEM format) from certFile to per-user or local Admin Trust Settings.

-d = Add this certificate to admin certificate store; default is to store it in the user’s keychain.

-r = Specifies the result you want, in this case you want to use trustRoot (see the security man page for the other options.)

-k = Specifies the keychain to use, in this case the specified keychain is /Library/Keychains/System.keychain

You can also build this into an installer package, where you’re installing the certificate you want to use to a specified directory, then setting the following in a postflight script to automatically install the trusted certificate into System.keychain, then remove the certificate from the directory


security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/certname.cer" srm "/private/tmp/certs/certname.cer"
  1. March 14, 2011 at 4:35 pm

    This doesn’t work for me. If I deploy it with trustRoot, I get a certificate in the keychain that’s untrusted. If I use trustAsRoot, I get a certificate with custom trust (blue plus icon), which uses the system’s default trust settings. With trustAsRoot I no longer get certificate warnings e.g. in Safari, but I wonder what I have to do to get a nice green check mark icon…

  2. March 14, 2011 at 5:39 pm


    Are you adding a root CA? You may have different results with this command if you’re adding a certificate that’s been issued by another CA.


  3. perolofssongu
    March 14, 2011 at 7:10 pm

    That’s probably it, the root CA is offline and locked away in a safe, and the issuing CA is online. I guess it’s serving me its own certificate and not the root’s.

    I can get the complete chain as a p7b, but I haven’t figured out how to extract a PEM format root certificate out of that.

    • perolofssongu
      March 16, 2011 at 4:53 pm

      openssl pkcs7 -in certnew.p7b -print_certs did the trick, and with a cut’n’paste I can add the certificate with trustRoot. Still just a blue plus icon and not a green checkmark though…

  4. September 23, 2013 at 2:05 am

    The security man page doesn’t explain the effects of the trustRoot and trustAsRoot.
    Can you give a short description of what the two options do and how they differ?

    • perolofssongu
      September 23, 2013 at 7:13 am

      trustAsRoot trusts everything signed by that certificate as if it was a root certificate, even if it’s not, e.g. if it’s just an intermediate certificate. trustRoot trusts the specified root certificate, but you have to point it to a root certificate.

  5. February 11, 2014 at 12:07 am

    When I do this I get an error that reads: SecCertificateAddToKeychain: Unknown format in import. I have searched for this error everywhere but there is no definitive answer…. What is your take on this?

  6. February 19, 2014 at 3:31 pm

    Sorry to drag up an old post, but trying to do this via casper, how could I make it run at the user not as root do you know?

    • Todd
      November 22, 2014 at 4:36 pm

      Were you able to deploy this via casper. Im not sure this can be run under the root context that a deployment solution would run it under. I am trying to deploy using a systems management tool as well. Any suggestions

  7. April 30, 2015 at 9:14 pm

    I don’t fully understand the ‘-d’ option. The man page mentions “Add to admin cert store; default is user.” But if im specifying the keychain with -k anyway, what does ‘admin cert store’ mean anyway?

  8. Mark
    July 23, 2015 at 6:03 am

    Rich, I’m wondering if I can do the same with an ssl cert which is from a proxy server? Of course when I drop the cert into the system.keychain, it changes from a .pem to a .cer. I thought for Casper, I could just package it with composer and use your script to install it into the system.keychain.

  9. October 11, 2016 at 10:12 pm

    Worked for me on Mac OS X El Capitan

  10. jwoll
    January 27, 2017 at 3:50 pm

    Is there a way to automagically set the all of the trust settings to “Always Trust” after importing the cert?

  11. Shiju Kuchelan
    August 8, 2019 at 3:43 pm

    I’m trying to add a CA to the login keychain for getting support for safari browser.I use the below security command

    sudo security add-trusted-cert -r trustRoot -k “/Users/maya/Library/Keychains/login.keychain” “/tmp/certs/test.cer”

    The cert got added to login keychain successfully, but the the browser is not able to recognize certificate authority, getting the error ‘ERR_cert_authority_invalid’.

  12. luke
    November 25, 2020 at 6:51 am

    Is it still working correctly? While performing, GUI pop up appears asking for a password to change trust settings. Is it possible to bypass GUI and use only Terminal?

    • Kuldeep choudhary
      March 10, 2021 at 2:21 am

      @Luke – i am also facing the same issue, i think they changed something in Big-sur security. this is happening only after Big-sur os. If someone can find the solution that will be great.

      tried with sudo /usr/bin/security but no luck

  13. Ashish Gupta
    June 15, 2021 at 8:34 am

    @Luke @Kuldeep
    use this
    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain -P

  14. Tony Cisneros
    July 21, 2022 at 9:33 pm

    So i was running in to the same issue. the script would import the cert but it would not trust it. after a couple days on and off working on this. I finally realized that i was using the wrong -r command. i was using as trustRoot as suggested above. but the cert i was using was not issued by another cert. So i had to change the – r command to trustAsRoot. example below.

    Security add-trusted-cert -d -r trustAsRoot -k /Library/keychains/system.keychain

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: