How to delete or untrust all root certificates in OSX?

Question

In Keychain Access it looks like you can only untrust/delete certificates one at a time.

But there are a lot of certificates I want to get rid of. How can I take care of them all at the same time?

Also, what are the minimum certificate requirements? Is it possible to make the system unusable by untrusting a certificate?

score 3 · Answer 1 · edited Apr 13 '17 at 12:45

3

If You want to change set of system root certificates, they are in /System/Library/Keychains/. Example of using security there is in this answer to similar question.

edited Apr 13 '17 at 12:45

Community

1

answered Nov 01 '12 at 13:54

koli

31

score 2 · Answer 2 · answered Jun 01 '12 at 21:10

2

You can script keychain events from the command line with the security command. On Lion and earlier, the worst that will happen if you delete all the system roots is you won't be able to run software update or use iTunes and other applications that interface with secure web services.

It might be easier just to make a keychain file you like and shove that in place of the ones Apple provides and watch for changes when you do apply software updates.

answered Jun 01 '12 at 21:10

bmike

235,889

security list-keychain doesn't list the system roots keychain. How can I access that? Is it OK to delete everything in there? – z-buffer Jun 02 '12 at 23:16

How to delete or untrust all root certificates in OSX?

2 Answers2