Mac Developer Library Developer
Search

 

This manual page is for Mac OS X version 10.9

If you are running a different version of Mac OS X, view the documentation locally:

  • In Terminal, using the man(1) command

Reading manual pages

Manual pages are intended as a quick reference for people who already understand a technology.

  • To learn how the manual is organized or to learn about command syntax, read the manual page for manpages(5).

  • For more information about this technology, look for other documentation in the Apple Developer Library.

  • For general information about writing shell scripts, read Shell Scripting Primer.




security(1)               BSD General Commands Manual              security(1)

NAME
     security -- Command line interface to keychains and Security framework

SYNOPSIS
     security [-hilqv] [-p prompt] [command] [command_options] [command_args]

DESCRIPTION
     A simple command line interface which lets you administer keychains, manipulate keys and certificates,
     and do just about anything the Security framework is capable of from the command line.

     By default security will execute the command supplied and report if anything went wrong.

     If the -i or -p options are provided, security will enter interactive mode and allow the user to enter
     multiple commands on stdin.  When EOF is read from stdin security will exit.

     Here is a complete list of the options available:

     -h       If no arguments are specified, show a list of all commands.  If arguments are provided, show
              usage for each the specified commands.  This option is essentially the same as the help com-mand. command.
              mand.

     -i       Run security in interactive mode.  A prompt (security> by default) will be displayed and the
              user will be able to type commands on stdin until an EOF is encountered.

     -l       Before security exits, run
                    /usr/bin/leaks -nocontext
              on itself to see if the command(s) you executed had any leaks.

     -p prompt
              This option implies the -i option but changes the default prompt to the argument specified
              instead.

     -q       Will make security less verbose.

     -v       Will make security more verbose.

SECURITY COMMAND SUMMARY
     security provides a rich variety of commands (command in the SYNOPSIS), each of which often has a
     wealth of options, to allow access to the broad functionality provided by the Security framework.  How-ever, However,
     ever, you don't have to master every detail for security to be useful to you.

     Here are brief descriptions of all the security commands:

     help                        Show all commands, or show usage for a command.
     list-keychains              Display or manipulate the keychain search list.
     default-keychain            Display or set the default keychain.
     login-keychain              Display or set the login keychain.
     create-keychain             Create keychains.
     delete-keychain             Delete keychains and remove them from the search list.
     lock-keychain               Lock the specified keychain.
     unlock-keychain             Unlock the specified keychain.
     set-keychain-settings       Set settings for a keychain.
     set-keychain-password       Set password for a keychain.
     show-keychain-info          Show the settings for keychain.
     dump-keychain               Dump the contents of one or more keychains.
     create-keypair              Create an asymmetric key pair.
     add-generic-password        Add a generic password item.
     add-internet-password       Add an internet password item.
     add-certificates            Add certificates to a keychain.
     find-generic-password       Find a generic password item.
     delete-generic-password     Delete a generic password item.
     find-internet-password      Find an internet password item.
     delete-internet-password    Delete an internet password item.
     find-certificate            Find a certificate item.
     find-identity               Find an identity (certificate + private key).
     delete-certificate          Delete a certificate from a keychain.
     set-identity-preference     Set the preferred identity to use for a service.
     get-identity-preference     Get the preferred identity to use for a service.
     create-db                   Create a db using the DL.
     export                      Export items from a keychain.
     import                      Import items into a keychain.
     cms                         Encode or decode CMS messages.
     install-mds                 Install (or re-install) the MDS database.
     add-trusted-cert            Add trusted certificate(s).
     remove-trusted-cert         Remove trusted certificate(s).
     dump-trust-settings         Display contents of trust settings.
     user-trust-settings-enable  Display or manipulate user-level trust settings.
     trust-settings-export       Export trust settings.
     trust-settings-import       Import trust settings.
     verify-cert                 Verify certificate(s).
     authorize                   Perform authorization operations.
     authorizationdb             Make changes to the authorization policy database.
     execute-with-privileges     Execute tool with privileges.
     leaks                       Run /usr/bin/leaks on this process.
     error                       Display a descriptive message for the given error code(s).

COMMON COMMAND OPTIONS
     This section describes the command_options that are available across all security commands.

     -h       Show a usage message for the specified command.  This option is essentially the same as the
              help command.

SECURITY COMMANDS
     Here (finally) are details on all the security commands and the options each accepts.

     help [-h]
            Show all commands, or show usage for a command.

     list-keychains [-h] [-d user|system|common|dynamic] [-s [keychain...]]
            Display or manipulate the keychain search list.

            -d user|system|common|dynamic
                     Use the specified preference domain.
            -s       Set the search list to the specified keychains.

     default-keychain [-h] [-d user|system|common|dynamic] [-s [keychain]]
            Display or set the default keychain.

            -d user|system|common|dynamic
                     Use the specified preference domain.
            -s       Set the default keychain to the specified keychain.  Unset it if no keychain is speci-fied. specified.
                     fied.

     login-keychain [-h] [-d user|system|common|dynamic] [-s [keychain]]
            Display or set the login keychain.

            -d user|system|common|dynamic
                     Use the specified preference domain.
            -s       Set the login keychain to the specified keychain.  Unset it if no keychain is speci-fied. specified.
                     fied.

     create-keychain [-hP] [-p password] [keychain...]
            Create keychains.

            -P              Prompt the user for a password using the SecurityAgent.
            -p password     Use password as the password for the keychains being created.

            If neither -P or -p password are specified, the user is prompted for a password on the command
            line.

     delete-keychain [-h] [keychain...]
            Delete keychains and remove them from the search list.

     lock-keychain [-h] [-a|keychain]
            Lock keychain, or the default keychain if none is specified.  If the -a option is specified, all
            keychains are locked.

     unlock-keychain [-hu] [-p password] [keychain]
            Unlock keychain, or the default keychain if none is specified.

     set-keychain-settings [-hlu] [-t timeout] [keychain]
            Set settings for keychain, or the default keychain if none is specified.

            -l              Lock keychain when the system sleeps.
            -u              Lock keychain after timeout interval.
            -t timeout      Specify timeout interval in seconds (omitting this option specifies "no time-out"). timeout").
                            out").

     set-keychain-password [-h] [-o oldPassword] [-p newPassword] [keychain]
            Set password for keychain, or the default keychain if none is specified.

            -o oldPassword  Old keychain password (if not provided, will prompt)
            -p newPassword  New keychain password (if not provided, will prompt)

     show-keychain-info [-h] [keychain]
            Show the settings for keychain.

     dump-keychain [-adhir]
            Dump the contents of one or more keychains.

            -a              Dump access control list of items
            -d              Dump (decrypted) data of items
            -i              Interactive access control list editing mode
            -r              Dump raw (encrypted) data of items

     create-keypair [-h] [-a alg] [-s size] [-f date] [-t date] [-d days] [-k keychain] [-A|-T appPath]
     [name]
            Create an asymmetric key pair.

            -a alg          Use alg as the algorithm, can be rsa, dh, dsa or fee (default rsa)
            -s size         Specify the keysize in bits (default 512)
            -f date         Make a key valid from the specified date
            -t date         Make a key valid to the specified date
            -d days         Make a key valid for the number of days specified from today
            -k keychain     Use the specified keychain rather than the default
            -A              Allow any application to access this key without warning (insecure, not recom-mended!) recommended!)
                            mended!)
            -T appPath      Specify an application which may access this key (multiple -T options are
                            allowed)

     add-generic-password [-h] [-a account] [-s service] [-w password] [options...] [keychain]
            Add a generic password item.

            -a account      Specify account name (required)
            -c creator      Specify item creator (optional four-character code)
            -C type         Specify item type (optional four-character code)
            -D kind         Specify kind (default is "application password")
            -G value        Specify generic attribute value (optional)
            -j comment      Specify comment string (optional)
            -l label        Specify label (if omitted, service name is used as default label)
            -s service      Specify service name (required)
            -p password     Specify password to be added (legacy option, equivalent to -w)
            -w password     Specify password to be added
            -A              Allow any application to access this item without warning (insecure, not recom-mended!) recommended!)
                            mended!)
            -T appPath      Specify an application which may access this item (multiple -T options are
                            allowed)
            -U              Update item if it already exists (if omitted, the item cannot already exist)

            By default, the application which creates an item is trusted to access its data without warning.
            You can remove this default access by explicitly specifying an empty app pathname: -T "". If no
            keychain is specified, the password is added to the default keychain.

     add-internet-password [-h] [-a account] [-s server] [-w password] [options...] [keychain]
            Add an internet password item.

            -a account      Specify account name (required)
            -c creator      Specify item creator (optional four-character code)
            -C type         Specify item type (optional four-character code)
            -d domain       Specify security domain string (optional)
            -D kind         Specify kind (default is "application password")
            -j comment      Specify comment string (optional)
            -l label        Specify label (if omitted, service name is used as default label)
            -p path         Specify path string (optional)
            -P port         Specify port number (optional)
            -r protocol     Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ")
            -s server       Specify server name (required)
            -t authenticationType
                            Specify authentication type (as a four-character SecAuthenticationType, default
                            is "dflt")
            -w password     Specify password to be added
            -A              Allow any application to access this item without warning (insecure, not recom-mended!) recommended!)
                            mended!)
            -T appPath      Specify an application which may access this item (multiple -T options are
                            allowed)
            -U              Update item if it already exists (if omitted, the item cannot already exist)

            By default, the application which creates an item is trusted to access its data without warning.
            You can remove this default access by explicitly specifying an empty app pathname: -T "". If no
            keychain is specified, the password is added to the default keychain.

     add-certificates [-h] [-k keychain] file...
            Add certficates contained in the specified files to the default keychain.  The files must con-tain contain
            tain one DER encoded X509 certificate each.
            -k keychain     Use keychain rather than the default keychain.

     find-generic-password [-h] [-a account] [-s service] [-options...] [-g] [-keychain...]
            Find a generic password item.

            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -D kind         Match kind string
            -G value        Match value string (generic attribute)
            -j comment      Match comment string
            -l label        Match label string
            -s service      Match service string
            -g              Display the password for the item found
            -w              Display the password(only) for the item found

     delete-generic-password [-h] [-a account] [-s service] [-options...] [-keychain...]
            Delete a generic password item.

            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -D kind         Match kind string
            -G value        Match value string (generic attribute)
            -j comment      Match comment string
            -l label        Match label string
            -s service      Match service string

     delete-internet-password [-h] [-a account] [-s server] [options...] [keychain...]
            Delete an internet password item.

            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -d securityDomain
                            Match securityDomain string
            -D kind         Match kind string
            -j comment      Match comment string
            -l label        Match label string
            -p path         Match path string
            -P port         Match port number
            -r protocol     Match protocol (four-character code)
            -s server       Match server string
            -t authenticationType
                            Match authenticationType (four-character code)

     find-internet-password [-h] [-a account] [-s server] [options...] [-g] [keychain...]
            Find an internet password item.

            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -d securityDomain
                            Match securityDomain string
            -D kind         Match kind string
            -j comment      Match comment string
            -l label        Match label string
            -p path         Match path string
            -P port         Match port number
            -r protocol     Match protocol (four-character code)
            -s server       Match server string
            -t authenticationType
                            Match authenticationType (four-character code)
            -g              Display the password for the item found
            -w              Display the password(only) for the item found

     find-certificate [-h] [-a] [-c name] [-e emailAddress] [-m] [-p] [-Z] [keychain...]
            Find a certificate item.  If no keychain arguments are provided, the default search list is
            used.

            Options:
            -a              Find all matching certificates, not just the first one
            -c name         Match on name when searching (optional)
            -e emailAddress
                            Match on emailAddress when searching (optional)
            -m              Show the email addresses in the certificate
            -p              Output certificate in pem format.  Default is to dump the attributes and key-chain keychain
                            chain the cert is in.
            -Z              Print SHA-1 hash of the certificate

            Examples

            security> find-certificate -a -p > allcerts.pem
                     Exports all certificates from all keychains into a pem file called allcerts.pem.

            security> find-certificate -a -e me@foo.com -p > certs.pem
                     Exports all certificates from all keychains with the email address me@foo.com into a
                     pem file called certs.pem.

            security> find-certificate -a -c MyName -Z login.keychain | grep ^SHA-1
                     Print the SHA-1 hash of every certificate in 'login.keychain' whose common name
                     includes 'MyName'

     find-identity [-h] [-p policy] [-s string] [-v] [keychain...]
            Find an identity (certificate + private key) satisfying a given policy. If no policy arguments
            are provided, the X.509 basic policy is assumed. If no keychain arguments are provided, the
            default search list is used.

            Options:
            -p policy       Specify policy to evaluate (multiple -p options are allowed). Supported poli-cies: policies:
                            cies: basic, ssl-client, ssl-server, smime, eap, ipsec, ichat, codesigning, sys-default, sysdefault,
                            default, sys-kerberos-kdc
            -s string       Specify optional policy-specific string (e.g. a DNS hostname for SSL, or RFC822
                            email address for S/MIME)
            -v              Show valid identities only (default is to show all identities)

            Examples

            security> find-identity -v -p ssl-client
                     Display valid identities that can be used for SSL client authentication

            security> find-identity -p ssl-server -s www.domain.com
                     Display identities for a SSL server running on the host 'www.domain.com'

            security> find-identity -p smime -s user@domain.com
                     Display identities that can be used to sign a message from 'user@domain.com'

     delete-certificate [-h] [-c name] [-Z hash] [-t] [keychain...]
            Delete a certificate from a keychain.  If no keychain arguments are provided, the default search
            list is used.

            -c name         Specify certificate to delete by its common name
            -Z hash         Specify certificate to delete by its SHA-1 hash
            -t              Also delete user trust settings for this certificate

            The certificate to be deleted must be uniquely specified either by a string found in its common
            name, or by its SHA-1 hash.

     set-identity-preference [-h] [-n] [-c identity] [-s service] [-u keyUsage] [-Z hash] [keychain...]
            Set the preferred identity to use for a service.

            -n              Specify no identity (clears existing preference for the given service)
            -c identity     Specify identity by common name of the certificate
            -s service      Specify service (may be a URL, RFC822 email address, DNS host, or other name)
                            for which this identity is to be preferred
            -u keyUsage     Specify key usage (optional)
            -Z hash         Specify identity by SHA-1 hash of certificate (optional)

            The identity is located by searching the specified keychain(s) for a certificate whose common
            name contains the given identity string. If no keychains are specified to search, the default
            search list is used. Different identity preferences can be set for individual key usages. You
            can differentiate between two identities which contain the same string by providing a SHA-1 hash
            of the certificate (in addition to, or instead of, the name.)

            PARTIAL PATHS AND WILDCARDS

            Prior to 10.5.4, identity preferences for SSL/TLS client authentication could only be set on a
            per-URL basis. The URL being visited had to match the service name exactly for the preference to
            be in effect.

            In 10.5.4, it became possible to specify identity preferences on a per-server basis, by using a
            service name with a partial path URL to match more specific paths on the same server. For exam-ple, example,
            ple, if an identity preference for "https://www.apache-ssl.org/" exists, it will be in effect
            for "https://www.apache-ssl.org/cgi/cert-export", and so on. Note that partial path URLs must
            end with a trailing slash character.

            Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by
            using the wildcard character '*' as the leftmost component of the service name. Unlike SSL wild-cards, wildcards,
            cards, an identity preference wildcard can match more than one subdomain. For example, an iden-tity identity
            tity preference for the name "*.army.mil" will match "server1.subdomain1.army.mil" or
            "server2.subdomain2.army.mil". Likewise, a preference for "*.mil" will match both
            "server.army.mil" and "server.navy.mil".

            KEY USAGE CODES

                 0 - preference is in effect for all possible key usages (default)
                 1 - encryption only
                 2 - decryption only
                 4 - signing only
                 8 - signature verification only
                16 - signing with message recovery only
                32 - signature verification with message recovery only
                64 - key wrapping only
               128 - key unwrapping only
               256 - key derivation only

            To specify more than one usage, add values together.

     get-identity-preference [-h] [-s service] [-u keyUsage] [-p] [-c] [-Z]
            Get the preferred identity to use for a service.

            -s service      Specify service (may be a URL, RFC822 email address, DNS host, or other name)
            -u keyUsage     Specify key usage (optional)
            -p              Output identity certificate in pem format
            -c              Print common name of the preferred identity certificate
            -Z              Print SHA-1 hash of the preferred identity certificate

     create-db [-aho0] [-g dl|cspdl] [-m mode] [name]
            Create a db using the DL.  If name isn't provided security will prompt the user to type a name.

            Options:
            -a              Turn off autocommit
            -g dl|cspdl     Use the AppleDL (default) or AppleCspDL
            -m mode         Set the file permissions to mode.
            -o              Force using openparams argument
            -0              Force using version 0 openparams

            Examples

            security> create-db -m 0644 test.db

            security> create-db -g cspdl -a test2.db

     export [-k keychain] [-t type] [-f format] [-w] [-p format] [-P passphrase] [-o outfile]
            Export one or more items from a keychain to one of a number of external representations.  If
            keychain isn't provided, items will be exported from the user's default keychain.

            Options:
            -k keychain     Specify keychain from which item(s) will be exported.
            -t type         Specify the type of items to export. Possible types are certs, allKeys, pubKeys,
                            privKeys, identities, and all. The default is all. An identity consists of both
                            a certificate and the corresponding provate key.
            -f format       Specify the format of the exported data. Possible formats are openssl, bsafe,
                            pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The default is pem-seq pemseq
                            seq if more than one item is being exported. The default is openssl if one key
                            is being exported. The default is x509 if one certificate is being exported.
            -w              Specifies that private keys are to be wrapped on export.
            -p              Specifies that PEM armour is to be applied to the output data.
            -P passphrase   Specify the wrapping passphrase immediately. The default is to obtain a secure
                            passphrase via GUI.
            -o outfile      Write the output data to outfile. Default is to write data to stdout.

            Examples

            security> export -k login.keychain -t certs -o /tmp/certs.pem

            security> export -k newcert.keychain -t identities -f pkcs12 -o /tmp/mycerts.p12

     import inputfile [-k keychain] [-t type] [-f format] [-w] [-P passphrase] [options...]
            Import one or more items from inputfile into a keychain. If keychain isn't provided, items will
            be imported into the user's default keychain.

            Options:
            -k keychain     Specify keychain into which item(s) will be imported.
            -t type         Specify the type of items to import. Possible types are cert, pub, priv, ses-sion, session,
                            sion, cert, and agg. Pub, priv, and session refer to keys; agg is one of the
                            aggregate types (pkcs12 and PEM sequence). The command can often figure out what
                            item_type an item contains based in the filename and/or item_format.
            -f format       Specify the format of the exported data. Possible formats are openssl, bsafe,
                            raw, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The command can
                            often figure out what format an item is in based in the filename and/or
                            item_type.
            -w              Specify that private keys are wrapped and must be unwrapped on import.
            -x              Specify that private keys are non-extractable after being imported.
            -P passphrase   Specify the unwrapping passphrase immediately. The default is to obtain a secure
                            passphrase via GUI.
            -a attrName attrValue
                            Specify optional extended attribute name and value. Can be used multiple times.
                            This is only valid when importing keys.
            -A              Allow any application to access the imported key without warning (insecure, not
                            recommended!)
            -T appPath      Specify an application which may access the imported key (multiple -T options
                            are allowed)

            Examples

            security> import /tmp/certs.pem -k

            security> import /tmp/mycerts.p12 -t agg -k newcert.keychain

            security> import /tmp/mycerts.p12 -f pkcs12 -k newcert.keychain

     cms [-C|-D|-E|-S] [options...]
            Encode or decode CMS messages.
            -C              create a CMS encrypted message
            -D              decode a CMS message
            -E              create a CMS enveloped message
            -S              create a CMS signed message

            Decoding options:
            -c content      use this detached content file
            -h level        generate email headers with info about CMS message (output level >= 0)
            -n              suppress output of content

            Encoding options:
            -r id,...       create envelope for comma-delimited list of recipients, where id can be a cer-tificate certificate
                            tificate nickname or email address
            -G              include a signing time attribute
            -H hash         hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512 (default: SHA1)
            -N nick         use certificate named "nick" for signing
            -P              include a SMIMECapabilities attribute
            -T              do not include content in CMS message
            -Y nick         include an EncryptionKeyPreference attribute with certificate (use "NONE" to
                            omit)
            -Z hash         find a certificate by subject key ID

            Common options:
            -e envelope     specify envelope file (valid with -D or -E)
            -k keychain     specify keychain to use
            -i infile       use infile as source of data (default: stdin)
            -o outfile      use outfile as destination of data (default: stdout)
            -p password     use password as key db password (default: prompt)
            -s              pass data a single byte at a time to CMS
            -u certusage    set type of certificate usage (default: certUsageEmailSigner)
            -v              print debugging information

            Cert usage codes:
                              0 - certUsageSSLClient
                              1 - certUsageSSLServer
                              2 - certUsageSSLServerWithStepUp
                              3 - certUsageSSLCA
                              4 - certUsageEmailSigner
                              5 - certUsageEmailRecipient
                              6 - certUsageObjectSigner
                              7 - certUsageUserCertImport
                              8 - certUsageVerifyCA
                              9 - certUsageProtectedObjectSigner
                             10 - certUsageStatusResponder
                             11 - certUsageAnyCA


     install-mds
            Install (or re-install) the Module Directory Services (MDS) database. This is a system tool
            which is not normally used by users. There are no options.

     add-trusted-cert [-d] [-r resultType] [-p policy] [-a appPath] [-s policyString] [-e allowedError] [-u
     keyUsage] [-k keychain] [-i settingsFileIn] [-o settingsFileOut] [-D] certFile
            Add certificate (in DER or PEM format) from certFile to per-user or local Admin Trust Settings.
            When modifying per-user Trust Settings, user authentication is required via an authentication
            dialog. When modifying admin Trust Settings, the process must be running as root, or admin
            authentication is required.

            Options:
            -d              Add to admin cert store; default is user.
            -r resultType   resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot.
            -p policy       Specify policy constraint (ssl, smime, codeSign, IPSec, iChat, basic, swUpdate,
                            pkgSign, pkinitClient, pkinitServer, eap).
            -r resultType   resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot.
            -a appPath      Specify application constraint.
            -s policyString
                            Specify policy-specific string.
            -e allowedError
                            Specify allowed error (an integer value, or one of: certExpired, hostnameMis-match) hostnameMismatch)
                            match)
            -u keyUsage     Specify key usage, an integer.
            -k keychain     Specify keychain to which cert is added.
            -i settingsFileIn
                            Input trust settings file; default is user domain.
            -o settingsFileOut
                            Output trust settings file; default is user domain.
            -D              Add default setting instead of per-cert setting. No certFile is specified when
                            using this option

            Examples
                  security> add-trusted-cert /tmp/cert.der
                  security> add-trusted-cert -d .tmp/cert.der

   remove-trusted-cert [-d] [-D] certFile
          Remove certificate (in DER or PEM format) in certFile from per-user or local Admin Trust Settings.
          When modifying per-user Trust Settings, user authentication is required via an authentication dia-log. dialog.
          log. When modifying admin Trust Settings, the process must be running as root, or admin authenti-cation authentication
          cation is required.

          Options:
          -d              Remove from admin cert store; default is user.
          -D              Remove Default Root Cert setting instead of an actual cert setting. No certFile is
                          specified when using this option.

   dump-trust-settings [-s] [-d]
          Display Trust Settings.

          Options:
          -s              Display trusted system certs; default is user.
          -d              Display trusted admin certs; default is user.

   user-trust-settings-enable [-d] [-e]
          Display or manipulate user-level Trust Settings. With no arguments, shows the current state of the
          user-level Trust Settings enable. Otherwise enables or disables user-level Trust Settings.

          Options:
          -d              Disable user-level Trust Settings.
          -e              Enable user-level Trust Settings.

   trust-settings-export [-s] [-d] settings_file
          Export Trust Settings to the specified file.

          Options:
          -s              Export system Trust Settings; default is user.
          -d              Export admin Trust Settings; default is user.

   trust-settings-import [-d] settings_file
          Import Trust Settings from the specified file. When modifying per-user Trust Settings, user
          authentication is required via an authentication dialog. When modifying admin Trust Settings, the
          process must be running as root, or admin authentication is required.

          Options:
          -d              Import admin Trust Settings; default is user.

   verify-cert [-c certFile] [-r rootCertFile] [-p policy] [-k keychain] [-n] [-L] [-l] [-e emailAddress]
   [-s sslHost] [-q]
          Verify one or more certificates.

          Options:
          -c certFile     Certificate to verify, in DER or PEM format. Can be specified more than once; leaf
                          certificate has to be specified first.
          -r rootCertFile
                          Root certificate, in DER or PEM format. Can be specified more than once. If not
                          specified, the system anchor certificates are used. If one root certificate is
                          specified, and zero (non-root) certificates are specified, the root certificate is
                          verified against itself.
          -p policy       Specify verification policy (ssl, smime, codeSign, IPSec, iChat, basic, swUpdate,
                          pkgSign, pkinitClient, pkinitServer, eap, appleID, macappstore, timestamping).
                          Default is basic.
          -k keychain     Keychain to search for intermediate certs. Can be specified multiple times.
                          Default is the current user's keychain search list.
          -n              Avoid searching any keychains.
          -L              Use local certificates only. If an issuing CA certificate is missing, this option
                          will avoid accessing the network to fetch it.
          -l              Specifies that the leaf certificate is a CA cert. By default, a leaf certificate
                          with a Basic Constraints extension with the CA bit set fails verification.
          -e emailAddress
                          Specify email address for the smime policy.
          -s sslHost      Specify SSL host name for the ssl policy.
          -q              Quiet, no stdout or stderr.

          Examples

          security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl -s store.apple.com

          security> verify-cert -r serverbasic.crt

   authorize [-updPiew] [right...]
          Authorize requested right(s).  The extend-rights flag will be passed by default.

          Options:
          -u              Allow user interaction.
          -p              Allow returning partial rights.
          -d              Destroy acquired rights.
          -P              Pre-authorize rights only.
          -l              Operate authorization in least privileged mode.
          -i              Internalize authref passed on stdin.
          -e              Externalize authref to stdout
          -w              Wait while holding AuthorizationRef until stdout is closed. This will allow client
                          to read externalized AuthorizationRef from pipe.

          Examples

          security> security authorize -ud my-right
                   Basic authorization of my-right.

          security> security -q authorize -uew my-right | security -q authorize -i my-right
                   Authorizing a right and passing it to another command as a way to add authorization to
                   shell scripts.

   authorizationdb read <right-name>

   authorizationdb write <right-name> [allow|deny|<rulename>]

   authorizationdb remove <right-name>
          Read/Modify authorization policy database. Without a rulename write will read a dictionary as a
          plist from stdin.

          Examples

          security> security authorizationdb read system.privilege.admin > /tmp/aewp-def
                   Read definition of system.privilege.admin right.

          security> security authorizationdb write system.preferences < /tmp/aewp-def
                   Set system.preferences to definition of system.privilege.admin right.

          security> security authorizationdb write system.preferences authenticate-admin
                   Every change to preferences requires an Admin user to authenticate.

   execute-with-privileges <program> [args...]
          Execute tool with privileges.  On success stdin will be read and forwarded to the tool.

   leaks [-h] [-cycles] [-nocontext] [-nostacks] [-exclude symbol]
          Run /usr/bin/leaks on this process.  This can help find memory leaks after running certain com-mands. commands.
          mands.

          Options:
          -cycles         Use a stricter algorithm (See leaks(1) for details).
          -nocontext      Withhold the hex dumps of the leaked memory.
          -nostacks       Don't show stack traces of leaked memory.
          -exclude symbol
                          Ignore leaks called from symbol.

   error [-h] [<error code(s)...>]
          Display an error string for the given security-related error code.  The error can be in decimal or
          hex, e.g. 1234 or 0x1234. Multiple errors can be separated by spaces.

ENVIRONMENT
     MallocStackLogging
              When using the leaks command or the -l option it's probably a good idea to set this environ-ment environment
              ment variable before security is started.  Doing so will allow leaks to display symbolic back-traces. backtraces.
              traces.

FILES
     ~/Library/Preferences/com.apple.security.plist

              Property list file containing the current user's default keychain and keychain search list.

     /Library/Preferences/com.apple.security.plist

              Property list file containing the system default keychain and keychain search list.  This is
              used by processes started at boot time, or those requesting to use the system search domain,
              such as system daemons.

     /Library/Preferences/com.apple.security-common.plist

              Property list file containing the common keychain search list, which is appended to every
              user's search list and to the system search list.

SEE ALSO
     certtool(1), leaks(1)

HISTORY
     security was first introduced in Mac OS X version 10.3.

BUGS
     security still needs more commands before it can be considered complete.  In particular, it should
     someday supersede both the certtool and systemkeychain commands.

Darwin                           March 1, 2012                          Darwin

Reporting Problems

The way to report a problem with this manual page depends on the type of problem:

Content errors
Report errors in the content of this documentation with the feedback links below.
Bug reports
Report bugs in the functionality of the described tool or API through Bug Reporter.
Formatting problems
Report formatting mistakes in the online version of these pages with the feedback links below.

Feedback