I've looked at the man page for the security tool, specifically the find-certificate argument.
I'm using the spaceship gem to get a list of certs in the Apple dev portal, and I'd like to compare them the installed certs on the machine. The best comparison method seems to be creation and expiry dates.
However, I'm unable to figure out how to make security produce a certificate that I can then pass to openssl to determine creation/expiry dates.
Any guidance?
12 Answers
-p will dump the certs in PEM format, which can be piped to the openssl x509 utility for display. For example:
security find-certificate -p -c "Apple Worldwide Developer Relations Certification Authority" | openssl x509 -text -nooutHere's the full output:
$ security find-certificate -p -c "Apple Worldwide Developer Relations Certification Authority" | openssl x509 -text -noout
Certificate: Data: Version: 3 (0x2) Serial Number: 25 (0x19) Signature Algorithm: sha1WithRSAEncryption Issuer: C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Root CA Validity Not Before: Feb 14 18:56:35 2008 GMT Not After : Feb 14 18:56:35 2016 GMT Subject: C = US, O = Apple Inc., OU = Apple Worldwide Developer Relations, CN = Apple Worldwide Developer Relations Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ca:38:54:a6:cb:56:aa:c8:24:39:48:e9:8c:ee: ec:5f:b8:7f:26:91:bc:34:53:7a:ce:7c:63:80:61: 77:64:5e:a5:07:23:b6:39:fe:50:2d:15:56:58:70: 2d:7e:c4:6e:c1:4a:85:3e:2f:f0:de:84:1a:a1:57: c9:af:7b:18:ff:6a:fa:15:12:49:15:08:19:ac:aa: db:2a:32:ed:96:63:68:52:15:3d:8c:8a:ec:bf:6b: 18:95:e0:03:ac:01:7d:97:05:67:ce:0e:85:95:37: 6a:ed:09:b6:ae:67:cd:51:64:9f:c6:5c:d1:bc:57: 6e:67:35:80:76:36:a4:87:81:6e:38:8f:d8:2b:15: 4e:7b:25:d8:5a:bf:4e:83:c1:8d:d2:93:d5:1a:71: b5:60:9c:9d:33:4e:55:f9:12:58:0c:86:b8:16:0d: c1:e5:77:45:8d:50:48:ba:2b:2d:e4:94:85:e1:e8: c4:9d:c6:68:a5:b0:a3:fc:67:7e:70:ba:02:59:4b: 77:42:91:39:b9:f5:cd:e1:4c:ef:c0:3b:48:8c:a6: e5:21:5d:fd:6a:6a:bb:a7:16:35:60:d2:e6:ad:f3: 46:29:c9:e8:c3:8b:e9:79:c0:6a:61:67:15:b2:f0: fd:e5:68:bc:62:5f:6e:cf:99:dd:ef:1b:63:fe:92: 65:ab Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 88:27:17:09:A9:B6:18:60:8B:EC:EB:BA:F6:47:59:C5:52:54:A3:B7 X509v3 Authority Key Identifier: keyid:2B:D0:69:47:94:76:09:FE:F4:6B:8D:2E:40:A6:F7:47:4D:7F:08:5E X509v3 CRL Distribution Points: Full Name: URI: 1.2.840.113635.100.6.2.1: .. Signature Algorithm: sha1WithRSAEncryption da:32:00:96:c5:54:94:d3:3b:82:37:66:7d:2e:68:d5:c3:c6: b8:cb:26:8c:48:90:cf:13:24:6a:46:8e:63:d4:f0:d0:13:06: dd:d8:c4:c1:37:15:f2:33:13:39:26:2d:ce:2e:55:40:e3:0b: 03:af:fa:12:c2:e7:0d:21:b8:d5:80:cf:ac:28:2f:ce:2d:b3: 4e:af:86:19:04:c6:e9:50:dd:4c:29:47:10:23:fc:6c:bb:1b: 98:6b:48:89:e1:5b:9d:de:46:db:35:85:35:ef:3e:d0:e2:58: 4b:38:f4:ed:75:5a:1f:5c:70:1d:56:39:12:e5:e1:0d:11:e4: 89:25:06:bd:d5:b4:15:8e:5e:d0:59:97:90:e9:4b:81:e2:df: 18:af:44:74:1e:19:a0:3a:47:cc:91:1d:3a:eb:23:5a:fe:a5: 2d:97:f7:7b:bb:d6:87:46:42:85:eb:52:3d:26:b2:63:a8:b4: b1:ca:8f:f4:cc:e2:b3:c8:47:e0:bf:9a:59:83:fa:da:98:53: 2a:82:f5:7c:65:2e:95:d9:33:5d:f5:ed:65:cc:31:37:c5:5a: 04:e8:6b:e1:e7:88:03:4a:75:9e:9b:28:cb:4a:40:88:65:43: 75:dd:cb:3a:25:23:c5:9e:57:f8:2e:ce:d2:a9:92:5e:73:2e: 2f:25:75:15Or to avoid potentially complex parsing of the openssl output, you can specify just the field(s) of interest, such as:
security find-certificate -p -c "Apple Worldwide Developer Relations Certification Authority" | openssl x509 -enddate -noout
