Remove private key from Mac OS X keychain using Terminal

Asked 6/10, 2011 at 17:17 Answered 17/10, 2018 at 13:21

I've imported a developer identity (certificate + private key) for iOS development to a keychain using the "security" Terminal application with the command

security import identity.p12 -k <keychain> -P <passphrase>

This imports both items included in the p12 file, certificate and private key, into the given keychain. I forgot to specify -T /usr/bin/codesign, however, which adds the codesign application to the access list of the private key. I've tried to add the codesign app to the access list to no avail:

I've tried to re-import the identity with the added parameter but that does not seem to change the access list of the private key.
I've also tried deleting the certificate from the keychain using security delete-certificate and re-importing. This does not change the access list of the private key.

Since I only have ssh access to the machine, using the Keychain GUI application won't work. Therefore I'm looking for a way to delete the private key from the keychain (so that I can re-import the identity afterwards). I've checked the man page of the security tool but did not find a means to delete a private key.

Is there any way you can remove a private key from a keychain using Terminal commands only (as I do only have ssh access to the machine in question)?

Rideout answered 6/10, 2011 at 17:17 Comment(0)

There are several keychains on your system:

sudo security list-keychains
"/Users/JonDoe/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"

I think you imported it into the System-Keychain: First make a backup of your System Root Certificates before making any changes (or any other keychain you choose):

cd /System/Library/Keychains/
sudo cp SystemRootCertificates.keychain SystemRootCertificates.keychain.old

List all keychains / all certificates in your keychain:

ls -l /System/Library/Keychains/
sudo security dump-keychain /System/Library/Keychains/SystemRootCertificates.keychain

With the second command each certificate of the keychain is shown. Identify the certificate you want to remove. Then remove the certificate with the following command:

sudo security delete-certificate -Z <SHA-1 hash of certificate> /System/Library/Keychains/SystemRootCertificates.keychain
**alternative:**
sudo security delete-certificate -c <common name of certificate> /System/Library/Keychains/SystemRootCertificates.keychain

That's all. Now you can import your certificate again. In case of an error, you can restore your keychain with the following command:

sudo security import certificate_files_backup -k /System/Library/Keychains/SystemRootCertificates.keychain -t cert

Finisterre answered 12/10, 2011 at 15:42 Comment(6)

Thanks for the very detailed answer! I've not imported the identity into the System-Keychain but into the Login-Keychain - just as I intended. The only thing I did not do correctly was specify the -T /usr/bin/codesign flag during import. I've already tried the delete-certificate subcommand but it only deletes the certificate, not the private key. Therefore, the -T flag is ignored upon a re-import since the private key is still contained in the keychain. Does this clarify the situation? – Rideout 17/10, 2011 at 17:34

After trying around a bit I think it would be the best solution to export all keys and certificates from the keychain, delete it and reimport them all. In deed I could not find a shell-command to remove a private key. Have you tried to give the "delete-certificate"-option the SHA-1 Hash of the key? – Finisterre 17/10, 2011 at 20:45

I've tried deleting the certificate to which the private key belongs. This works but as soon as the code signing identity is imported again, the old access permissions are granted to the private key. – Rideout 26/4, 2012 at 19:6

I'm able to delete the certificate via the -c (common name of certificate) but not the private key, I don't know how to target it. How did you do that? – Homoiousian 29/9, 2015 at 13:54

How can I get the SHA-1 hash or common name of an cer(I have the p12 file)? – Bart 13/4, 2016 at 7:50

This is only helping with the certificate - it does not remove the private key. How to delete a private-key? I found no command for this in the 'security' tool. – Parhe 6/7, 2016 at 7:49

You can delete certificate and key by running a command in the terminal:

sudo security delete-identity -Z "SHA-1"

sudo security delete-identity -c "CommonName"

At the beginning I thought it removes only the key, but in fact it removes certificate too (you just need to close the keychain completely and open it again to see the changes - if you are verifying it with GUI).

From man security:

     delete-identity [-h] [-c name] [-Z hash] [-t] [keychain...]
        Delete a certificate and its private key from a keychain.  If no keychain arguments are provided, the default search list is used.

        -c name         Specify certificate to delete by its common name
        -Z hash         Specify certificate to delete by its SHA-1 hash
        -t              Also delete user trust settings for this identity certificate

You may need to unlock the keychain first (from man security):

 unlock-keychain [-hu] [-p password] [keychain]
        Unlock keychain, or the default keychain if none is specified.

Feme answered 17/10, 2018 at 13:21 Comment(0)

Recommended topics

Hot tags