Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Using custom or self-signed certificates in Safari Web Browsers
The Safari browser disallows SSL access to websites with certificates that are not signed by well known authorities. In order to browse these sites via SSL, one needs to add the web server certificate (or CA root certificate) to the global keychain. This is fairly straightforward.

Get a hold of the certificate you want to add in either PEM or DER format. Copy the file /System -> Library -> Keychains -> X509Anchors to your own Library -> Keychains. In the Terminal, run the command:
 % certtool i mycertificate.crt k=X509Anchors 
(you need to add a "d" at the end for DER format).

Now copy your Library -> Keychains -> X509Anchors back to /System -> Library -> Keychains. You will need to use sudo to make this work. Restart Safari and all is well.

[Editor's note: I have not tested this myself.]
  • Currently 3.00 / 5
  You rated: 3 / 5 (5 votes cast)

Using custom or self-signed certificates in Safari | 38 comments | Create New Account
Click here to return to the 'Using custom or self-signed certificates in Safari' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Easier way
Authored by: stewby on Jan 24, '03 10:41:31AM

The easier way is to enable the Debug menu (there was a hint about it earlier), then select Security->Performs Lax Certificate Checks. Then it will accept self-signed certificates.

[ Reply to This | # ]
Another way...
Authored by: NoahD on Jan 24, '03 10:43:13AM

You can also temporarily allow self-signed certs by enabling the Debug menu and selecting "perform lax certificate checks" from the security submenu in the debug menu. This only lasts for that browser session, though; it's not preserved between restarts.

[ Reply to This | # ]
Message to the EDITOR!
Authored by: Syncopator1 on Jan 24, '03 11:26:19AM

The original posting in this thread says:

> This is fairly straightforward.
> Get a hold of the certificate you want to add in either PEM or DER format.

Straightforward? Exactly how does one "get a hold" of such a certificate? And what are "PEM" and "DER" formats?

It would be *greatly* appreciated if, in your editor's notes, you could elaborate on items like this. (My frustration is with the original poster, not with you. It's infuriating that these guys assume that readers will know what that terminology means.)

Not everyone who reads this site is a programmer. Some of us are Power Users in the more traditional sense -- willing to dig into these nooks and crannies, but not necessarily trained nor experienced enough to know all of the cryptic jargon. PLEASE either discourage these presumptuous messages or at least be sure to clarify them with your comments. Thank you. :-)

[ Reply to This | # ]
My response...
Authored by: robg on Jan 24, '03 12:50:40PM

Here's a slightly trimmed summary (edited just to correct references to this thread) response I just emailed back...

The problem is that, despite my best efforts, I simply can't know everything about every topic. I am also not a programmer. I also can't assume a level of knowledge of the typical user -- sure, maybe I should have dug into this one a bit, but then where do I draw the line at stuff that needs further clarification? Drag and drop? Pasting icons? Explaining "cd"? But that's the beauty of the Geeklog system -- if you don't understand something, you can post a comment requesting clarification -- that's why the comment system is in place, to let everyone with differing abilities interact.

I'd love to be able to spend the time to completely edit, correct, clarify, expand, and explain every hint, but the reality is that that's just not possible if I actually want to get hints online, hold onto my day job, and spend time with the family. So I've chosen to use a system that lets the readers help clarify, correct, and expand on posted hints ...

Relative to this post in particular, I have no idea what these things are, where to look for them, or how to get them. But I also have no interest in the topic, so when I read it on the site (and I do read the site after posting the hints), I just skip it ... but if you do have interest, please, by all means, either use the author's email link (click on their name then click on Send Email) to send them questions in private, or just post your question as a comment. More than likely, someone that does know will respond and you'll have the answer you seek.


[ Reply to This | # ]
Message to the EDITOR!
Authored by: VEGx on Jan 24, '03 01:17:12PM

So can anyone explain it?

[ Reply to This | # ]
Authored by: Bottacco on Jan 27, '03 07:37:03AM

Rob, I know you are a very busy man, but the other guys reading this article could have looked it up. I didn't know anything about all this terms before reading this article, but I has taken me less than a minute to find the answer and I am not a native English speaker. Internet is great... if you use it. So, come on guys, fire up those browsers and make those search engines crunch some databases.

Ok, here is an straightforward explanation for PEM, DER and other formats:

Certificate And Key Formats

PEM - Can contain all of private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates. It is the default format for OpenSSL. It stores data Base64 encoded DER format, surrounded by ascii headers, so is suitable for text mode transfers between systems.

DER - Can contain all of private keys, public keys and certificates. It stored according to the ASN1 DER format. It is headerless - PEM is text header wrapped DER. It is the default format for most browsers.

PKCS#12 - Also known as PFX files. Can contain all of private keys, public keys and certificates. It stores in a binary format. See <> for more information on the format, and its support in OpenSSL


I hope this helps.


[ Reply to This | # ]
Authored by: below on Jan 27, '03 08:14:00AM

Hopefully this evening I will post a step-by-step guide of importing a self-made certificate. Right now it does not seem to work with my own, but I am working on it.

Hang on!


[ Reply to This | # ]
Message to the EDITOR!
Authored by: Cormacolinde on Jan 28, '03 03:51:53PM

This is the kind of hint that targets some people with a specific need. If you don't know what a private certificate is, then you don't need to understand the hint. People targeted by this actually KNOW what that is and will understand the hint.

The point is that you have no reason to actually want a private certificate, or you would have one to use and know about it.

It's like someone without a car who sees an ad for tires and doesn't understand the tire size information. If he asks which tire size he needs, you'll simply tell him that it doesn't matter, because he doesn't have a car.

Same thing here, it doesn't matter that you don't understand what importing certs is about, because you don't have one to import.

[ Reply to This | # ]
Message to the EDITOR!
Authored by: lsloan on Jan 30, '03 10:25:20AM

Okay, so you're trying to say that if a reader doesn't understand a hint, they probably don't need to use that hint, right? I respectfully disagree.

There are good reasons why somebody who is basically clueless about self-signed certificates, PEM, and DER formats would want or need to add certificates to their keychain. For example, where I work, secure websites that are under development use self-signed certificates created locally. When we invite users to test these websites, we don't know which OS or web browser they will be using. Until a few people pointed out how to do this, people who used Safari couldn't test those websites.

I don't fault either the original poster of this hint or the editor for not knowing how much detail should have been given. However, I do think that the first person to respond to the hint should have remained calm and politely asked for more information.

[ Reply to This | # ]
Message to the EDITOR!
Authored by: professor on Apr 05, '03 11:38:06AM

If you are going to start adding CA Certs to you keychain, then you must have received instructions as to where to download the (PEM or DER formatted) Certificate, and you bloody well should know how to check the MD5 fingerprint of the Certificate, etc.

If you don't know what the words in the above paragraph mean (or, at least, if you have not received explicit, detailed step-by-step instructions), then you shouldn't be adding CA Certs to you keychain.

It takes only a minute or two to do a Google search to find out what all of the above means. This is not an undue burden on the reader(s) of this hint.

[ Reply to This | # ]
Message to the EDITOR!
Authored by: mikemcc on Jul 14, '03 04:29:12PM

As a developer and administrator of internal applications, I am too cheap to spring for a Verisign or Thawte certificate. I therefore assume the responsibility of establishing the trust relationship that the certificate implies.

I use a self-signed CA to sign the certs which protect many of the internal applications at my company. Working with the Windows administrators, it was relatively easy to push out the CA certificate to Windows desktops, which are now completely happy with internal SSL enabled apps.

Hopefully my soon-to-be-purchased OS X server will permit similar remote administration gains for the Mac users at my company. Until then, I will perform this certification manually, on an as-needed basis, using local admin accounts on the target hosts.

It would be a complete waste of time to explain the inner workings of public key cryptography to the information architects, designers, and production artists who use Mac OS X to access secure intranet sites at my company. The information imparted would not help them to do their primary jobs, the jargon-filled conversation would annoy them, and I would still need to perform the commands myself, just so that I could test and verify correct behavior. It will be quicker, less painful, and more professional for me to handle that issue myself.

[ Reply to This | # ]
debug /lax certificates at each launch
Authored by: smkolins on Jan 24, '03 12:05:45PM

I agree the debug menu let's you enable lax certificate checking... but you need to enable it on each launch.... how do you make it a default?!

[ Reply to This | # ]
debug /lax certificates at each launch
Authored by: maged on Jan 24, '03 03:05:57PM
NOT a good idea. Wow, the amount of *REALLY* insecure advice/comments people make on these boards is scary.

MITM attack (Monkey in the Middle). Is used to hijack SSL sessions. Someone basically makes their own fake cert and acts as a proxy between you and the "secure" server you think you are talking to. Your browser tells you that you are connecting via SSL. Meanwhile, the MITM is seeing everything that goes by in the clear.

Enabling lax cert checks, and you won't even notice what is happening... especially since the checks are lax for *all* https sessions.

[ Reply to This | # ]
debug /lax certificates at each launch
Authored by: stewby on Jan 25, '03 12:33:21AM

Clearly you wouldn't want to leave it on all the time; I never suggested you should. But for those who want to use Safari until Apple improves certificate handling, it's nice to know how to temporarily lower security levels enough to actually reach a site you want to get to.

[ Reply to This | # ]
Custom Certs with Passwords?
Authored by: Tastannin on Jan 24, '03 12:14:39PM

What about custom certificates that require a password to restore to the system?

[ Reply to This | # ]
What is a .pem or .der?
Authored by: sharumpe on Jan 24, '03 01:50:21PM

I think the big confusion here is that this may not be a "general user" hint. If you don't know what a .pem file is, you probably haven't come across the problem that this hint is meant to solve.

.pem and .der files are two ways of storing SSL certificates. Most people are viewing sites that use an SSL certificate signed by Verisign or another major vendor. The case where this comes in handy is when you are using self-signed certificates, meaning that you generated them yourself or in conjunction with an unofficial source.

For example, my employer uses self-signed certificates for internal projects and sites that do not do monetary transactions. We use it for securing logins and encrypting some other sensitive data. These certificates are using our own "certificate authority (or CA)", so any time I want to view one of those pages, I have to do to the debug menu bit. Annoying.

This hint allowed me to put our CA certificate (the one that has signed all of the other certificates) into the keychain, so now Safari inherently recognizes these certificates.

I don't know if that helped, but I hope so.

Mr. Sharumpe

[ Reply to This | # ]
Okay, how do you obtain the cert?
Authored by: 47ronin on Jan 24, '03 03:53:29PM

It's not a bad thing that people want to know HOW to get the self-signed certs... can anyone now please explain the procedure? I have self-signed certs for Webmin and I can't use Safari for server setup until I can export the cert. Thanks in advance.

[ Reply to This | # ]
Okay, how do you obtain the cert?
Authored by: maged on Jan 24, '03 04:19:59PM
Webmin FAQ #14 Does this help? Haven't tried webmin on OS X yet, but the std UNIX distribution puts the cert under:
Could also search your drive for *.pem or *.der

[ Reply to This | # ]
Okay, how do you obtain the cert (part 2)?
Authored by: maged on Jan 24, '03 04:44:19PM
Sorry, I hit submit before finishing... if you are running SSL to your own apache server, then on the server check under /etc/httpd. Normally it will be installed under a directory under here (e.g. "ssl').

You can also check the httpd.conf text file in the same directory above--search for:

You should find something like:
SSLCertificateFile /etc/httpd/ssl/cert-2001.pem

SSLCertificateKeyFile /etc/httpd/ssl/privkey-2001.pem

See also Marc Liyanage's help page on Apache mod_ssl on OS X

[ Reply to This | # ]
RE: Okay, how do you obtain the cert?
Authored by: clarkcb on Jan 24, '03 04:33:01PM

If you are using IE on a PC (sorry, this is the only one I know), the process is:

1. Select Internet Options from the Tools menu in IE
2. Select the Content tab
3. Click the Certificates button
4. Click the Advanced... button and verify that the Export format is defined as "DER encoded binary...". Click OK.
5. Drag the certificate you want to export to your desktop. This creates a .DER-encoded .cer file on your desktop that you will import from.
6. Assuming the file is named "MyCert.cer", copy this file to your home directory on your Mac (via a Samba share or scp; there are other hints that explain these), then run the following in Terminal (in your home directory, which is what Terminal starts in):

% certtool i MyCert.cer k=X509Anchors d

Hope this helps.

[ Reply to This | # ]
Follow-up question
Authored by: clarkcb on Jan 24, '03 03:58:29PM

Hey, thanks for this hint. I posted a question about this on the forums site just the other day.

A follow-up question: if there is already a file in ~/Library/Keychains named the same as my username do I still need to copy the X509Anchors file from /System/Library/Keychains, or should I skip this step, and just import the certificate and copy the file back to /System/Library/Keychains, replacing the X509Anchors file there (after having backed up the original, of course)?

I tried this because I noticed after importing the certificate that the file with my username had updated, but copying this file back to the system location doesn't appear to work, nor does the original hint. Any supplemental info is greatly appreciated!

[ Reply to This | # ]
Follow-up question
Authored by: clarkcb on Jan 24, '03 04:02:48PM

Ooops, if I had paid a little closer attention to your instructions I would have realized that the destination filename is specified with the k option. I'll give that a try.

[ Reply to This | # ]
Is there any way to import/convert a PKCS12 cert?
Authored by: taw123 on Jan 24, '03 08:51:51PM

Is there any way to import/convert a PKCS12 cert (generated in something like Mozilla, though it shouldn't matter how and where I create/backup the cert). I ideally want to import it into the Keychain for use with Safari as the original poster suggested.

Thanks for any suggestions.


[ Reply to This | # ]
i believe that openssl can do this
Authored by: simonlok on Jan 27, '03 11:21:54PM

you just need to read the man page and figure out the right command line options. man openssl. man pkcs12.


[ Reply to This | # ]
use openssl.
Authored by: adamshand on Oct 21, '03 04:39:30PM
Here's the command to do it the other way around (kep in my tips file. Should be fairly simple to do it the other way around.
# openssl pkcs12 -export -in  -out 

[ Reply to This | # ]
man in the middle attacks
Authored by: smkolins on Jan 27, '03 08:27:37AM

Sure you will notice them. It tells you the origin does not match the last place it came from - i know because i had to change a certificate on one of my servers and i had to clean out the certificate I already accepted.

What official certificates get you is that you can trust the source is willing to declare itself to a thrid party registry agency. But it's my server, so i trust myself, ya know?

[ Reply to This | # ]
Authored by: nicksay on Jan 27, '03 02:22:47PM

Just a note for some looking to do this...

My organization runs their own Certificate Authority (CA) and issues digital certificates, like the poster's situation above. These are used for intra-organization identity verification and secure network links, and the such.

However, downloading the necessary certificates from my organization results in .cer files, which didn't (intuitively) fit with the DER/PEM formats discussed above. A bit of research proved me wrong, though, and it seems that some CAs choose to use the "cer" extension when issuing certificates in the DER format. I followed the commands for DER formatted certificates (including that 'd' at the end), and everything worked as promised.

So, in summary, CER files are just DER files with a different extension and will work just fine.

[ Reply to This | # ]
wow... never thought I would be flamed for trying to help
Authored by: simonlok on Jan 27, '03 11:17:43PM

Well... here is an attempt at watering down the tip.... hopefully this will help and I won't get even more flames for trying again.

First you kind of have to understand the concept of certificates. Each web server has a public key and private key. The private key is generally only accessible to the server administrators (and of course to the httpd process). The public key is supposed to be accessible to anyone. When you "sign" a public key, it becomes a certificate. Remember that a digital signature is nothing more than encrypting a hash with a private key so that anybody can "decrypt" it (called verification in this case) with the corresponding public key. The thing you need to keep in mind is who's private key is used in the signing... for web servers this is generally the private key of the certificate authority.

Most people use "well known" certificate authorities (e.g. Verisign or Thawte). However, this concept of being a "well known" certificate authority is arbitrary. Often this comes down to money. If you have a million bucks, you can pay Microsoft to have your personal public key included by default with Internet Explorer. Thus you become "trusted." This has absolutely nothing to do with you, everything to do with status quo. People like Verisign have made serious mistakes before by signing public keys of random people claiming to be big names (e.g. Microsoft).

Some technically savvy organizations have realized this is all a big scam, so they setup their own "certificate authority." For example, check out It is very easy to setup your own ca. You literally just run openssl and say "make me a keypair." All keypairs are technologically created equal (assuming algorithmic and key strength parity). The difference is primarily in policy. You "designate" this to be you "CA" key pair. Then you run the same openssl command to create a keypair for each secure server. You can then use openssl to "sign" each webserver keypair with your "CA" keypair. Want to know exactly what the commands are? Read this:

Okay, so now enters Safari. How the hell do you make this all work. Well, you need access to the CA public key. Where do you get that you ask? Well, it needs to be published by the administrator. This is usually on a website, with a phone number for you to call to verify the fingerprint over the phone or something like that. See the ColumbiaCA website above for an example. This public key typically comes in PEM or DER format. PEM format is the default openssl format, but unfortunately our friends are Microsoft do not allow PEM to be imported into IE for Mac easily. DER on the other hand imports easily, but it's a binary format and that sucks because, well, it's a binary format.

I hope this helps. I hope I don't get any more flames for trying to help. Anyway, good luck.


[ Reply to This | # ]
wow... never thought I would be flamed for trying to help
Authored by: bts on Mar 21, '03 12:26:46PM

Thanks for the pointer; this works fine for Safari, but I'm looking for information on how to add root certificates to, Camino, and other programs using the SecureTransport framework. Any ideas?

[ Reply to This | # ]
Not working?
Authored by: hallow on Feb 03, '03 09:41:13PM

I just did a completely fresh system install, installed safari and a few other apps, and the command given above does not seem to work (it worked on my previous install):

certtool i my.crt k=X509Anchors
SecKeychainGetDLDBHandle returned -25294

[ Reply to This | # ]
Not working?
Authored by: bts on Mar 21, '03 12:20:38PM

This means you didn't copy the X509Anchors file into your ~/Library/Keychains/ directory.

[ Reply to This | # ]
Not working
Authored by: ryandesign on Dec 17, '03 10:03:29AM

I also get this error, and I did copy the X509Anchors file to ~/Library/Keychains/

[ Reply to This | # ]
self-signed certificates not working in Safari 1.0
Authored by: jamesreynolds on Aug 11, '03 12:20:13PM

I tried this hint with Safari 1.0 (v85) and it does not appear to work. I know I followed the steps correctly because I can open the X509Anchors keychain and view the certificate in KeyAccess. But moving the X509Anchors keychain to /System/Library/Keychains does nothing for Safari. Anyone else notice this?

[ Reply to This | # ]
No need to copy
Authored by: Morth on Oct 10, '03 02:55:52AM

Just lauch Keychain Access and choose Add keyring... from the File menu. Then go to /System/Library/Keychains and add the X509Anchors file and you can edit it directly (after entering an admin password).

Also worth to notice is that this is the only place root certificates can be to be valid. In 10.3 Mail will have the possibility to sign with certificates, but only if you have the root certificate installed. Once you have that you create a private key and a certificate with your email in the subjectAltName. Then you import them with certtool i and you're ready to go.

Certificates takes some trying and failing to learn, it's not something for the casual user. Typically it's not that useful to make your own root certificate, as you can only use it with others who have the same one, which means they must trust you not to trick them (because you can if they have your root certificate installed).

[ Reply to This | # ]
Using custom or self-signed certificates in Safari
Authored by: spacehaven on Oct 20, '03 05:49:32PM
Also, if you need an importable self-signed CA certificate for a particular site, and you happen to have access to a Microsoft Windows box, do this:
  1. Open IE and navigate to the site. You'll get a "Security Alert" warning. Choose "View Certificate"
  2. In the Certificate window that pops up, select the "Details" tab, and click on the "Copy to File" button.
  3. A "Certificate Export Wizard" window will appear. Follow the instructions in the wizard. I exported it as a Base-64 encoded X-509 certificate, but I'm sure DER would work as well. Finally choose a filename and location to save it.
  4. Copy the resulting .cer file to your mac box and install according to the original hint.
I'm sure there's an easier way to scrape the certificate from the web server without windows, but I can't find an option in Safari, Camino, or Mac IE. If I come across an OSX-only way, I'll post it here.

[ Reply to This | # ]
Using custom or self-signed certificates in Safari
Authored by: Crawdad on Nov 12, '03 10:20:28AM

You can get the self-signed certificate of a server using openssl in a Terminal window. If the server is "servername" and using the default HTTPS port of 443, do this:

openssl s_client -connect servername:443 -showcerts

Then copy & paste the lines from "-----BEGIN CERTIFICATE-----" through "-----END CERTIFICATE-----" *inclusive* into a file and save it (as plain text, of course). This will be a "PEM format" certificate file.

[ Reply to This | # ]
Using custom or self-signed certificates in Safari and
Authored by: e72172 on Jan 20, '04 08:43:09PM

After downloading the root CA from MS Certificate Server, I used the following command in Terminal to add my company's CA to the existing X509Anchors file (certnew.cer is the exact cert download from the MS cert server):

sudo certtool i certnew.cer d k=/System/Library/Keychains/X509Anchors

and to verify the cert in the system X509Anchors file:

certtool y k=/System/Library/Keychains/X509Anchors

Now no longer complains about unknown signer for secure IMAP and SMTP connections.

Note: there is also a /System/Library/Keychains/X509Certificates which seems to hold mostly US .mil certs and FR (French gov?) certs.

[ Reply to This | # ]
How to get a Remote Site's Certifate with Safari!
Authored by: Patchsmyle on Oct 31, '05 06:00:17AM

Ok, i have read through all of the threads, and I noticed one thing was never answered by any one. How do you get the Self Signed CA certificate of a remote website using a MAC. Well the answer (At least for Tiger Safari) is VERY easy, but not intuitive.

1. Navigate to the website you wish to get the certificate from.
2. When the 'Root certificate is not valid' sheet appears, click on the "Show Certificate" button.
3. Press and hold the OPTION key. While holding down the option key, click and drag the certificate icon to your desktop.

Tada.. you now have your Self Signed non-verified remote host Certificate in .pem format!


[ Reply to This | # ]