I've imported a developer identity (certificate + private key) for iOS development to a keychain using the "security" Terminal application with the command
security import identity.p12 -k <keychain> -P <passphrase>
This imports both items included in the p12 file, certificate and private key, into the given keychain. I forgot to specify -T /usr/bin/codesign, however, which adds the codesign application to the access list of the private key. I've tried to add the codesign app to the access list to no avail:
- I've tried to re-import the identity with the added parameter but that does not seem to change the access list of the private key.
- I've also tried deleting the certificate from the keychain using
security delete-certificateand re-importing. This does not change the access list of the private key.
Since I only have ssh access to the machine, using the Keychain GUI application won't work. Therefore I'm looking for a way to delete the private key from the keychain (so that I can re-import the identity afterwards). I've checked the man page of the security tool but did not find a means to delete a private key.
Is there any way you can remove a private key from a keychain using Terminal commands only (as I do only have ssh access to the machine in question)?
There are several keychains on your system:
sudo security list-keychains
"/Users/JonDoe/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"
I think you imported it into the System-Keychain: First make a backup of your System Root Certificates before making any changes (or any other keychain you choose):
cd /System/Library/Keychains/
sudo cp SystemRootCertificates.keychain SystemRootCertificates.keychain.old
List all keychains / all certificates in your keychain:
ls -l /System/Library/Keychains/
sudo security dump-keychain /System/Library/Keychains/SystemRootCertificates.keychain
With the second command each certificate of the keychain is shown. Identify the certificate you want to remove. Then remove the certificate with the following command:
sudo security delete-certificate -Z <SHA-1 hash of certificate> /System/Library/Keychains/SystemRootCertificates.keychain
**alternative:**
sudo security delete-certificate -c <common name of certificate> /System/Library/Keychains/SystemRootCertificates.keychain
That's all. Now you can import your certificate again. In case of an error, you can restore your keychain with the following command:
sudo security import certificate_files_backup -k /System/Library/Keychains/SystemRootCertificates.keychain -t cert
You can delete certificate and key by running a command in the terminal:
sudo security delete-identity -Z "SHA-1"
or
sudo security delete-identity -c "CommonName"
At the beginning I thought it removes only the key, but in fact it removes certificate too (you just need to close the keychain completely and open it again to see the changes - if you are verifying it with GUI).
From man security:
delete-identity [-h] [-c name] [-Z hash] [-t] [keychain...]
Delete a certificate and its private key from a keychain. If no keychain arguments are provided, the default search list is used.
-c name Specify certificate to delete by its common name
-Z hash Specify certificate to delete by its SHA-1 hash
-t Also delete user trust settings for this identity certificate
You may need to unlock the keychain first (from man security):
unlock-keychain [-hu] [-p password] [keychain]
Unlock keychain, or the default keychain if none is specified.
来源:https://stackoverflow.com/questions/7678057/remove-private-key-from-mac-os-x-keychain-using-terminal