Pragmatism in the real world

Syncing macOS Keychain certificates with Homebrew's OpenSSL

One of my clients runs their own Composer repository for some packages which is hosted on internal system where the SSL is signed by an internal root CA cert. I installed the relevant certificates into my Keychain, but Composer complained about not being able to trust the certificate.

I use the Homebrew version of PHP which links to Homebrew’s OpenSSL, so I realised that OpenSSL wasn’t looking at the keychain, but instead at its own store, cert.pem which can be found in the OpenSSL directory. OpenSSL will tell you where that directory is if you use openssl version -d:

$ openssl version -d
OPENSSLDIR: "/usr/local/etc/openssl@1.1"

Apple provides the security command line to work with your keychain. You can use this to create a cert.pem file of every certificate in the keychain:

security find-certificate -a -p \
/System/Library/Keychains/SystemRootCertificates.keychain \
/Library/Keychains/System.keychain \
~/Library/Keychains/login.keychain-db > keychain_certificates.pem

However, this does not take into account your trust settings and so includes any certificates you have not trusted.

So the next step is to
check each one with system verify-cert and then add to cert.pem. This requires splitting up the output of system find-certificate which is a hassle!

Fortunately someone else has done the work for us!

James Tucker has created openssl-osx-ca.

To use:

$ brew tap raggi/ale
$ brew install openssl-osx-ca
$ brew services start openssl-osx-ca

Now your Homebrew OpenSSL certificate store will be automatically synced from your Keychain every hour.

Job done!