Unknown option: "-1" Unix manual page for security. (host=minya system=Darwin)
security(1)               BSD General Commands Manual              security(1)

NAME
     security -- Command line interface to keychains and Security framework

SYNOPSIS
     security [-hilqv] [-p prompt] [command] [command_options] [command_args]

DESCRIPTION
     A simple command line interface which lets you administer keychains,
     manipulate keys and certificates, and do just about anything the Security
     framework is capable of from the command line.

     By default security will execute the command supplied and report if any-
     thing went wrong.

     If the -i or -p options are provided, security will enter interactive
     mode and allow the user to enter multiple commands on stdin.  When EOF is
     read from stdin security will exit.

     Here is a complete list of the options available:

     -h       If no arguments are specified, show a list of all commands.  If
              arguments are provided, show usage for each the specified com-
              mands.  This option is essentially the same as the help command.

     -i       Run security in interactive mode.  A prompt (security> by
              default) will be displayed and the user will be able to type
              commands on stdin until an EOF is encountered.

     -l       Before security exits, run
                    /usr/bin/leaks -nocontext
              on itself to see if the command(s) you executed had any leaks.

     -p prompt
              This option implies the -i option but changes the default prompt
              to the argument specified instead.

     -q       Will make security less verbose.

     -v       Will make security more verbose.

SECURITY COMMAND SUMMARY
     security provides a rich variety of commands (command in the SYNOPSIS),
     each of which often has a wealth of options, to allow access to the broad
     functionality provided by the Security framework.  However, you don't
     have to master every detail for security to be useful to you.

     Here are brief descriptions of all the security commands:

     help                        Show all commands, or show usage for a com-
                                 mand.
     list-keychains              Display or manipulate the keychain search
                                 list.
     default-keychain            Display or set the default keychain.
     login-keychain              Display or set the login keychain.
     create-keychain             Create keychains.
     delete-keychain             Delete keychains and remove them from the
                                 search list.
     lock-keychain               Lock the specified keychain.
     unlock-keychain             Unlock the specified keychain.
     set-keychain-settings       Set settings for a keychain.
     set-keychain-password       Set password for a keychain.
     show-keychain-info          Show the settings for keychain.
     dump-keychain               Dump the contents of one or more keychains.
     create-keypair              Create an asymmetric key pair.
     add-generic-password        Add a generic password item.
     add-internet-password       Add an internet password item.
     add-certificates            Add certificates to a keychain.
     find-generic-password       Find a generic password item.
     delete-generic-password     Delete a generic password item.
     set-generic-password-partition-list
                                 Set the partition list of a generic password
                                 item.
     find-internet-password      Find an internet password item.
     delete-internet-password    Delete an internet password item.
     set-internet-password-partition-list
                                 Set the partition list of a internet password
                                 item.
     find-key                    Find keys in the keychain
     set-key-partition-list      Set the partition list of a key.
     find-certificate            Find a certificate item.
     find-identity               Find an identity (certificate + private key).
     delete-certificate          Delete a certificate from a keychain.
     delete-identity             Delete a certificate and its private key from
                                 a keychain.
     set-identity-preference     Set the preferred identity to use for a ser-
                                 vice.
     get-identity-preference     Get the preferred identity to use for a ser-
                                 vice.
     create-db                   Create a db using the DL.
     export                      Export items from a keychain.
     import                      Import items into a keychain.
     cms                         Encode or decode CMS messages.
     install-mds                 Install (or re-install) the MDS database.
     add-trusted-cert            Add trusted certificate(s).
     remove-trusted-cert         Remove trusted certificate(s).
     dump-trust-settings         Display contents of trust settings.
     user-trust-settings-enable  Display or manipulate user-level trust set-
                                 tings.
     trust-settings-export       Export trust settings.
     trust-settings-import       Import trust settings.
     verify-cert                 Verify certificate(s).
     authorize                   Perform authorization operations.
     authorizationdb             Make changes to the authorization policy
                                 database.
     execute-with-privileges     Execute tool with privileges.
     leaks                       Run /usr/bin/leaks on this process.
     smartcards                  Enable, disable or list disabled smartcard
                                 tokens.
     list-smartcards             Display available smartcards.
     export-smartcard            Export items from a smartcard.
     error                       Display a descriptive message for the given
                                 error code(s).

COMMON COMMAND OPTIONS
     This section describes the command_options that are available across all
     security commands.

     -h       Show a usage message for the specified command.  This option is
              essentially the same as the help command.

SECURITY COMMANDS
     Here (finally) are details on all the security commands and the options
     each accepts.

     help [-h]
            Show all commands, or show usage for a command.

     list-keychains [-h] [-d user|system|common|dynamic] [-s [keychain...]]
            Display or manipulate the keychain search list.

            -d user|system|common|dynamic
                     Use the specified preference domain.
            -s       Set the search list to the specified keychains.

     default-keychain [-h] [-d user|system|common|dynamic] [-s [keychain]]
            Display or set the default keychain.

            -d user|system|common|dynamic
                     Use the specified preference domain.
            -s       Set the default keychain to the specified keychain.
                     Unset it if no keychain is specified.

     login-keychain [-h] [-d user|system|common|dynamic] [-s [keychain]]
            Display or set the login keychain.

            -d user|system|common|dynamic
                     Use the specified preference domain.
            -s       Set the login keychain to the specified keychain.  Unset
                     it if no keychain is specified.

     create-keychain [-hP] [-p password] [keychain...]
            Create keychains.

            -P              Prompt the user for a password using the Secu-
                            rityAgent.
            -p password     Use password as the password for the keychains
                            being created.

            If neither -P or -p password are specified, the user is prompted
            for a password on the command line. Use of the -p option is inse-
            cure.

     delete-keychain [-h] [keychain...]
            Delete keychains and remove them from the search list.

     lock-keychain [-h] [-a|keychain]
            Lock keychain, or the default keychain if none is specified.  If
            the -a option is specified, all keychains are locked.

     unlock-keychain [-hu] [-p password] [keychain]
            Unlock keychain, or the default keychain if none is specified.

     set-keychain-settings [-hlu] [-t timeout] [keychain]
            Set settings for keychain, or the default keychain if none is
            specified.

            -l              Lock keychain when the system sleeps.
            -u              Lock keychain after timeout interval.
            -t timeout      Specify timeout interval in seconds (omitting this
                            option specifies "no timeout").

     set-keychain-password [-h] [-o oldPassword] [-p newPassword] [keychain]
            Set password for keychain, or the default keychain if none is
            specified.

            -o oldPassword  Old keychain password (if not provided, will
                            prompt)
            -p newPassword  New keychain password (if not provided, will
                            prompt)

     show-keychain-info [-h] [keychain]
            Show the settings for keychain.

     dump-keychain [-adhir]
            Dump the contents of one or more keychains.

            -a              Dump access control list of items
            -d              Dump (decrypted) data of items
            -i              Interactive access control list editing mode
            -r              Dump raw (encrypted) data of items

     create-keypair [-h] [-a alg] [-s size] [-f date] [-t date] [-d days] [-k
     keychain] [-A|-T appPath] [name]
            Create an asymmetric key pair.

            -a alg          Use alg as the algorithm, can be rsa, dh, dsa or
                            fee (default rsa)
            -s size         Specify the keysize in bits (default 512)
            -f date         Make a key valid from the specified date (ex:
                            "13/11/10 3:30pm")
            -t date         Make a key valid to the specified date
            -d days         Make a key valid for the number of days specified
                            from today
            -k keychain     Use the specified keychain rather than the default
            -A              Allow any application to access this key without
                            warning (insecure, not recommended!)
            -T appPath      Specify an application which may access this key
                            (multiple -T options are allowed)

     add-generic-password [-h] [-a account] [-s service] [-w password]
     [options...] [keychain]
            Add a generic password item.

            -a account      Specify account name (required)
            -c creator      Specify item creator (optional four-character
                            code)
            -C type         Specify item type (optional four-character code)
            -D kind         Specify kind (default is "application password")
            -G value        Specify generic attribute value (optional)
            -j comment      Specify comment string (optional)
            -l label        Specify label (if omitted, service name is used as
                            default label)
            -s service      Specify service name (required)
            -p password     Specify password to be added (legacy option,
                            equivalent to -w)
            -w password     Specify password to be added. Put at end of com-
                            mand to be prompted (recommended)
            -A              Allow any application to access this item without
                            warning (insecure, not recommended!)
            -T appPath      Specify an application which may access this item
                            (multiple -T options are allowed)
            -U              Update item if it already exists (if omitted, the
                            item cannot already exist)

            By default, the application which creates an item is trusted to
            access its data without warning.  You can remove this default
            access by explicitly specifying an empty app pathname: -T "". If
            no keychain is specified, the password is added to the default
            keychain.

     add-internet-password [-h] [-a account] [-s server] [-w password]
     [options...] [keychain]
            Add an internet password item.

            -a account      Specify account name (required)
            -c creator      Specify item creator (optional four-character
                            code)
            -C type         Specify item type (optional four-character code)
            -d domain       Specify security domain string (optional)
            -D kind         Specify kind (default is "application password")
            -j comment      Specify comment string (optional)
            -l label        Specify label (if omitted, service name is used as
                            default label)
            -p path         Specify path string (optional)
            -P port         Specify port number (optional)
            -r protocol     Specify protocol (optional four-character SecPro-
                            tocolType, e.g. "http", "ftp ")
            -s server       Specify server name (required)
            -t authenticationType
                            Specify authentication type (as a four-character
                            SecAuthenticationType, default is "dflt")
            -w password     Specify password to be added. Put at end of com-
                            mand to be prompted (recommended)
            -A              Allow any application to access this item without
                            warning (insecure, not recommended!)
            -T appPath      Specify an application which may access this item
                            (multiple -T options are allowed)
            -U              Update item if it already exists (if omitted, the
                            item cannot already exist)

            By default, the application which creates an item is trusted to
            access its data without warning.  You can remove this default
            access by explicitly specifying an empty app pathname: -T "". If
            no keychain is specified, the password is added to the default
            keychain.

     add-certificates [-h] [-k keychain] file...
            Add certficates contained in the specified files to the default
            keychain.  The files must contain one DER encoded X509 certificate
            each.
            -k keychain     Use keychain rather than the default keychain.

     find-generic-password [-h] [-a account] [-s service] [-options...] [-g]
     [-keychain...]
            Find a generic password item.

            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -D kind         Match kind string
            -G value        Match value string (generic attribute)
            -j comment      Match comment string
            -l label        Match label string
            -s service      Match service string
            -g              Display the password for the item found
            -w              Display the password(only) for the item found

     delete-generic-password [-h] [-a account] [-s service] [-options...]
     [-keychain...]
            Delete a generic password item.

            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -D kind         Match kind string
            -G value        Match value string (generic attribute)
            -j comment      Match comment string
            -l label        Match label string
            -s service      Match service string

     delete-internet-password [-h] [-a account] [-s server] [options...]
     [keychain...]
            Delete an internet password item.

            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -d securityDomain
                            Match securityDomain string
            -D kind         Match kind string
            -j comment      Match comment string
            -l label        Match label string
            -p path         Match path string
            -P port         Match port number
            -r protocol     Match protocol (four-character code)
            -s server       Match server string
            -t authenticationType
                            Match authenticationType (four-character code)

     find-internet-password [-h] [-a account] [-s server] [options...] [-g]
     [keychain...]
            Find an internet password item.

            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -d securityDomain
                            Match securityDomain string
            -D kind         Match kind string
            -j comment      Match comment string
            -l label        Match label string
            -p path         Match path string
            -P port         Match port number
            -r protocol     Match protocol (four-character code)
            -s server       Match server string
            -t authenticationType
                            Match authenticationType (four-character code)
            -g              Display the password for the item found
            -w              Display the password(only) for the item found

     find-key [options...] [keychain...]
            Search the keychain for keys.

            -a application-label
                            Match "application label" string
            -c creator      Match creator (four-character code)
            -d              Match keys that can decrypt
            -D description  Match "description" string
            -e              Match keys that can encrypt
            -j comment      Match comment string
            -l label        Match label string
            -r              Match keys that can derive
            -s              Match keys that can sign
            -t type         Type of key to find: one of "symmetric", "public",
                            or "private"
            -u              Match keys that can unwrap
            -v              Match keys that can verify
            -w              Match keys that can wrap

     set-generic-password-partition-list [-a account] [-s service] [-S
     <partition list (comma separated)>] [-k <keychain password>] [options...]
     [keychain]
            Sets the "partition list" for a generic password. The "partition
            list" is an extra parameter in the ACL which limits access to the
            item based on an application's code signature. You must present
            the keychain's password to change a partition list.

            -S partition-list
                            Comma-separated partition list. See output of
                            "security dump-keychain" for examples.
            -k password     Password for keychain
            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -D kind         Match kind string
            -G value        Match value string (generic attribute)
            -j comment      Match comment string
            -l label        Match label string
            -s service      Match service string

     set-internet-password-partition-list [-a account] [-s server] [-S
     <partition list (comma separated)>] [-k <keychain password>] [options...]
     [keychain]
            Sets the "partition list" for an internet password. The "partition
            list" is an extra parameter in the ACL which limits access to the
            item based on an application's code signature. You must present
            the keychain's password to change a partition list.

            -S partition-list
                            Comma-separated partition list. See output of
                            "security dump-keychain" for examples.
            -k password     Password for keychain
            -a account      Match account string
            -c creator      Match creator (four-character code)
            -C type         Match type (four-character code)
            -d securityDomain
                            Match securityDomain string
            -D kind         Match kind string
            -j comment      Match comment string
            -l label        Match label string
            -p path         Match path string
            -P port         Match port number
            -r protocol     Match protocol (four-character code)
            -s server       Match server string
            -t authenticationType
                            Match authenticationType (four-character code)

     set-key-partition-list [-S <partition list (comma separated)>] [-k
     <keychain password>] [options...] [keychain]
            Sets the "partition list" for a key. The "partition list" is an
            extra parameter in the ACL which limits access to the key based on
            an application's code signature. You must present the keychain's
            password to change a partition list. If you'd like to run
            /usr/bin/codesign with the key, "apple:" must be an element of the
            partition list.

            -S partition-list
                            Comma-separated partition list. See output of
                            "security dump-keychain" for examples.
            -k password     Password for keychain
            -a application-label
                            Match "application label" string
            -c creator      Match creator (four-character code)
            -d              Match keys that can decrypt
            -D description  Match "description" string
            -e              Match keys that can encrypt
            -j comment      Match comment string
            -l label        Match label string
            -r              Match keys that can derive
            -s              Match keys that can sign
            -t type         Type of key to find: one of "symmetric", "public",
                            or "private"
            -u              Match keys that can unwrap
            -v              Match keys that can verify
            -w              Match keys that can wrap

     find-certificate [-h] [-a] [-c name] [-e emailAddress] [-m] [-p] [-Z]
     [keychain...]
            Find a certificate item.  If no keychain arguments are provided,
            the default search list is used.

            Options:
            -a              Find all matching certificates, not just the first
                            one
            -c name         Match on name when searching (optional)
            -e emailAddress
                            Match on emailAddress when searching (optional)
            -m              Show the email addresses in the certificate
            -p              Output certificate in pem format.  Default is to
                            dump the attributes and keychain the cert is in.
            -Z              Print SHA-1 hash of the certificate

            Examples

            security> find-certificate -a -p > allcerts.pem
                     Exports all certificates from all keychains into a pem
                     file called allcerts.pem.

            security> find-certificate -a -e me@foo.com -p > certs.pem
                     Exports all certificates from all keychains with the
                     email address me@foo.com into a pem file called
                     certs.pem.

            security> find-certificate -a -c MyName -Z login.keychain | grep
                     ^SHA-1
                     Print the SHA-1 hash of every certificate in 'login.key-
                     chain' whose common name includes 'MyName'

     find-identity [-h] [-p policy] [-s string] [-v] [keychain...]
            Find an identity (certificate + private key) satisfying a given
            policy. If no policy arguments are provided, the X.509 basic pol-
            icy is assumed. If no keychain arguments are provided, the default
            search list is used.

            Options:
            -p policy       Specify policy to evaluate (multiple -p options
                            are allowed). Supported policies: basic, ssl-
                            client, ssl-server, smime, eap, ipsec, ichat,
                            codesigning, sys-default, sys-kerberos-kdc
            -s string       Specify optional policy-specific string (e.g. a
                            DNS hostname for SSL, or RFC822 email address for
                            S/MIME)
            -v              Show valid identities only (default is to show all
                            identities)

            Examples

            security> find-identity -v -p ssl-client
                     Display valid identities that can be used for SSL client
                     authentication

            security> find-identity -p ssl-server -s www.domain.com
                     Display identities for a SSL server running on the host
                     'www.domain.com'

            security> find-identity -p smime -s user@domain.com
                     Display identities that can be used to sign a message
                     from 'user@domain.com'

     delete-certificate [-h] [-c name] [-Z hash] [-t] [keychain...]
            Delete a certificate from a keychain.  If no keychain arguments
            are provided, the default search list is used.

            -c name         Specify certificate to delete by its common name
            -Z hash         Specify certificate to delete by its SHA-1 hash
            -t              Also delete user trust settings for this certifi-
                            cate

            The certificate to be deleted must be uniquely specified either by
            a string found in its common name, or by its SHA-1 hash.

     delete-identity [-h] [-c name] [-Z hash] [-t] [keychain...]
            Delete a certificate and its private key from a keychain.  If no
            keychain arguments are provided, the default search list is used.

            -c name         Specify certificate to delete by its common name
            -Z hash         Specify certificate to delete by its SHA-1 hash
            -t              Also delete user trust settings for this identity
                            certificate

            The identity to be deleted must be uniquely specified either by a
            string found in its common name, or by its SHA-1 hash.

     set-identity-preference [-h] [-n] [-c identity] [-s service] [-u
     keyUsage] [-Z hash] [keychain...]
            Set the preferred identity to use for a service.

            -n              Specify no identity (clears existing preference
                            for the given service)
            -c identity     Specify identity by common name of the certificate
            -s service      Specify service (may be a URL, RFC822 email
                            address, DNS host, or other name) for which this
                            identity is to be preferred
            -u keyUsage     Specify key usage (optional)
            -Z hash         Specify identity by SHA-1 hash of certificate
                            (optional)

            The identity is located by searching the specified keychain(s) for
            a certificate whose common name contains the given identity
            string. If no keychains are specified to search, the default
            search list is used. Different identity preferences can be set for
            individual key usages. You can differentiate between two identi-
            ties which contain the same string by providing a SHA-1 hash of
            the certificate (in addition to, or instead of, the name.)

            PARTIAL PATHS AND WILDCARDS

            Prior to 10.5.4, identity preferences for SSL/TLS client authenti-
            cation could only be set on a per-URL basis. The URL being visited
            had to match the service name exactly for the preference to be in
            effect.

            In 10.5.4, it became possible to specify identity preferences on a
            per-server basis, by using a service name with a partial path URL
            to match more specific paths on the same server. For example, if
            an identity preference for "https://www.apache-ssl.org/" exists,
            it will be in effect for "https://www.apache-ssl.org/cgi/cert-
            export", and so on. Note that partial path URLs must end with a
            trailing slash character.

            Starting with 10.6, it is possible to specify identity preferences
            on a per-domain basis, by using the wildcard character '*' as the
            leftmost component of the service name. Unlike SSL wildcards, an
            identity preference wildcard can match more than one subdomain.
            For example, an identity preference for the name "*.army.mil" will
            match "server1.subdomain1.army.mil" or "server2.subdo-
            main2.army.mil". Likewise, a preference for "*.mil" will match
            both "server.army.mil" and "server.navy.mil".

            KEY USAGE CODES

                 0 - preference is in effect for all possible key usages
            (default)
                 1 - encryption only
                 2 - decryption only
                 4 - signing only
                 8 - signature verification only
                16 - signing with message recovery only
                32 - signature verification with message recovery only
                64 - key wrapping only
               128 - key unwrapping only
               256 - key derivation only

            To specify more than one usage, add values together.

     get-identity-preference [-h] [-s service] [-u keyUsage] [-p] [-c] [-Z]
            Get the preferred identity to use for a service.

            -s service      Specify service (may be a URL, RFC822 email
                            address, DNS host, or other name)
            -u keyUsage     Specify key usage (optional)
            -p              Output identity certificate in pem format
            -c              Print common name of the preferred identity cer-
                            tificate
            -Z              Print SHA-1 hash of the preferred identity cer-
                            tificate

     create-db [-aho0] [-g dl|cspdl] [-m mode] [name]
            Create a db using the DL.  If name isn't provided security will
            prompt the user to type a name.

            Options:
            -a              Turn off autocommit
            -g dl|cspdl     Use the AppleDL (default) or AppleCspDL
            -m mode         Set the file permissions to mode.
            -o              Force using openparams argument
            -0              Force using version 0 openparams

            Examples

            security> create-db -m 0644 test.db

            security> create-db -g cspdl -a test2.db

     export [-k keychain] [-t type] [-f format] [-w] [-p format] [-P
     passphrase] [-o outfile]
            Export one or more items from a keychain to one of a number of
            external representations.  If keychain isn't provided, items will
            be exported from the user's default keychain.

            Options:
            -k keychain     Specify keychain from which item(s) will be
                            exported.
            -t type         Specify the type of items to export. Possible
                            types are certs, allKeys, pubKeys, privKeys, iden-
                            tities, and all. The default is all. An identity
                            consists of both a certificate and the correspond-
                            ing private key.
            -f format       Specify the format of the exported data. Possible
                            formats are openssl, bsafe, pkcs7, pkcs8, pkcs12,
                            x509, openssh1, openssh2, and pemseq. The default
                            is pemseq if more than one item is being exported.
                            The default is openssl if one key is being
                            exported. The default is x509 if one certificate
                            is being exported.
            -w              Specifies that private keys are to be wrapped on
                            export.
            -p              Specifies that PEM armour is to be applied to the
                            output data.
            -P passphrase   Specify the wrapping passphrase immediately. The
                            default is to obtain a secure passphrase via GUI.
            -o outfile      Write the output data to outfile. Default is to
                            write data to stdout.

            Examples

            security> export -k login.keychain -t certs -o /tmp/certs.pem

            security> export -k newcert.keychain -t identities -f pkcs12 -o
                     /tmp/mycerts.p12

     import inputfile [-k keychain] [-t type] [-f format] [-w] [-P passphrase]
     [options...]
            Import one or more items from inputfile into a keychain. If
            keychain isn't provided, items will be imported into the user's
            default keychain.

            Options:
            -k keychain     Specify keychain into which item(s) will be
                            imported.
            -t type         Specify the type of items to import. Possible
                            types are cert, pub, priv, session, cert, and agg.
                            Pub, priv, and session refer to keys; agg is one
                            of the aggregate types (pkcs12 and PEM sequence).
                            The command can often figure out what item_type an
                            item contains based in the filename and/or
                            item_format.
            -f format       Specify the format of the exported data. Possible
                            formats are openssl, bsafe, raw, pkcs7, pkcs8,
                            pkcs12, x509, openssh1, openssh2, and pemseq. The
                            command can often figure out what format an item
                            is in based in the filename and/or item_type.
            -w              Specify that private keys are wrapped and must be
                            unwrapped on import.
            -x              Specify that private keys are non-extractable
                            after being imported.
            -P passphrase   Specify the unwrapping passphrase immediately. The
                            default is to obtain a secure passphrase via GUI.
            -a attrName attrValue
                            Specify optional extended attribute name and
                            value. Can be used multiple times. This is only
                            valid when importing keys.
            -A              Allow any application to access the imported key
                            without warning (insecure, not recommended!)
            -T appPath      Specify an application which may access the
                            imported key (multiple -T options are allowed)

            Examples

            security> import /tmp/certs.pem -k

            security> import /tmp/mycerts.p12 -t agg -k newcert.keychain

            security> import /tmp/mycerts.p12 -f pkcs12 -k newcert.keychain

     cms [-C|-D|-E|-S] [options...]
            Encode or decode CMS messages.
            -C              create a CMS encrypted message
            -D              decode a CMS message
            -E              create a CMS enveloped message
            -S              create a CMS signed message

            Decoding options:
            -c content      use this detached content file
            -h level        generate email headers with info about CMS message
                            (output level >= 0)
            -n              suppress output of content

            Encoding options:
            -r id,...       create envelope for comma-delimited list of recip-
                            ients, where id can be a certificate nickname or
                            email address
            -G              include a signing time attribute
            -H hash         hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512
                            (default: SHA1)
            -N nick         use certificate named "nick" for signing
            -P              include a SMIMECapabilities attribute
            -T              do not include content in CMS message
            -Y nick         include an EncryptionKeyPreference attribute with
                            certificate (use "NONE" to omit)
            -Z hash         find a certificate by subject key ID

            Common options:
            -e envelope     specify envelope file (valid with -D or -E)
            -k keychain     specify keychain to use
            -i infile       use infile as source of data (default: stdin)
            -o outfile      use outfile as destination of data (default: std-
                            out)
            -p password     use password as key db password (default: prompt)
            -s              pass data a single byte at a time to CMS
            -u certusage    set type of certificate usage (default: cer-
                            tUsageEmailSigner)
            -v              print debugging information

            Cert usage codes:
                              0 - certUsageSSLClient
                              1 - certUsageSSLServer
                              2 - certUsageSSLServerWithStepUp
                              3 - certUsageSSLCA
                              4 - certUsageEmailSigner
                              5 - certUsageEmailRecipient
                              6 - certUsageObjectSigner
                              7 - certUsageUserCertImport
                              8 - certUsageVerifyCA
                              9 - certUsageProtectedObjectSigner
                             10 - certUsageStatusResponder
                             11 - certUsageAnyCA

     install-mds
            Install (or re-install) the Module Directory Services (MDS) data-
            base. This is a system tool which is not normally used by users.
            There are no options.

     add-trusted-cert [-d] [-r resultType] [-p policy] [-a appPath] [-s
     policyString] [-e allowedError] [-u keyUsage] [-k keychain] [-i
     settingsFileIn] [-o settingsFileOut] certFile
            Add certificate (in DER or PEM format) from certFile to per-user
            or local Admin Trust Settings. When modifying per-user Trust Set-
            tings, user authentication is required via an authentication dia-
            log. When modifying admin Trust Settings, the process must be run-
            ning as root, or admin authentication is required.

            Options:
            -d              Add to admin cert store; default is user.
            -r resultType   resultType = trustRoot|trustAsRoot|deny|unspeci-
                            fied; default is trustRoot.
            -p policy       Specify policy constraint (ssl, smime, codeSign,
                            IPSec, basic, swUpdate, pkgSign, eap, macappstore,
                            appleID, timestamping).
            -r resultType   resultType = trustRoot|trustAsRoot|deny|unspeci-
                            fied; default is trustRoot.
            -a appPath      Specify application constraint.
            -s policyString
                            Specify policy-specific string.
            -e allowedError
                            Specify allowed error (an integer value, or one
                            of: certExpired, hostnameMismatch)
            -u keyUsage     Specify key usage, an integer.
            -k keychain     Specify keychain to which cert is added.
            -i settingsFileIn
                            Input trust settings file; default is user domain.
            -o settingsFileOut
                            Output trust settings file; default is user
                            domain.

            Key usage codes:
                -1 - Any
                 1 - Sign
                 2 - Encrypt/Decrypt Data
                 4 - Encrypt/Decrypt Key
                 8 - Sign certificate
                16 - Sign revocation
                32 - Key exchange
                To specify more than one usage, add values together (except -1
            - Any).

            Examples
                  security> add-trusted-cert /tmp/cert.der
                  security> add-trusted-cert -d .tmp/cert.der

   remove-trusted-cert [-d] certFile
          Remove certificate (in DER or PEM format) in certFile from per-user
          or local Admin Trust Settings. When modifying per-user Trust Set-
          tings, user authentication is required via an authentication dialog.
          When modifying admin Trust Settings, the process must be running as
          root, or admin authentication is required.

          Options:
          -d              Remove from admin cert store; default is user.

   dump-trust-settings [-s] [-d]
          Display Trust Settings.

          Options:
          -s              Display trusted system certs; default is user.
          -d              Display trusted admin certs; default is user.

   user-trust-settings-enable [-d] [-e]
          Display or manipulate user-level Trust Settings. With no arguments,
          shows the current state of the user-level Trust Settings enable.
          Otherwise enables or disables user-level Trust Settings.

          Options:
          -d              Disable user-level Trust Settings.
          -e              Enable user-level Trust Settings.

   trust-settings-export [-s] [-d] settings_file
          Export Trust Settings to the specified file.

          Options:
          -s              Export system Trust Settings; default is user.
          -d              Export admin Trust Settings; default is user.

   trust-settings-import [-d] settings_file
          Import Trust Settings from the specified file. When modifying per-
          user Trust Settings, user authentication is required via an authen-
          tication dialog. When modifying admin Trust Settings, the process
          must be running as root, or admin authentication is required.

          Options:
          -d              Import admin Trust Settings; default is user.

   verify-cert [-c certFile] [-r rootCertFile] [-p policy] [-C] [-d date] [-k
   keychain] [-n name] [-N] [-L] [-l] [-e emailAddress] [-s sslHost] [-q] [-R
   revCheckOption]
          Verify one or more certificates.

          Options:
          -c certFile     Certificate to verify, in DER or PEM format. Can be
                          specified more than once; leaf certificate has to be
                          specified first.
          -r rootCertFile
                          Root certificate, in DER or PEM format. Can be spec-
                          ified more than once. If not specified, the system
                          anchor certificates are used. If one root certifi-
                          cate is specified, and zero (non-root) certificates
                          are specified, the root certificate is verified
                          against itself.
          -p policy       Specify verification policy (ssl, smime, codeSign,
                          IPSec, basic, swUpdate, pkgSign, eap, appleID,
                          macappstore, timestamping). Default is basic.
          -C              Specify this evaluation is for client usage, if the
                          verification policy (e.g. ssl) distinguishes between
                          client and server usage. Default is server usage.
          -d date         Date to set for verification. Specified in the for-
                          mat of YYYY-MM-DD-hh:mm:ss (time optional). e.g:
                          2016-04-25-15:59:59 for April 25, 2016 at 3:59:59 pm
                          in GMT
          -k keychain     Keychain to search for intermediate CA certificates.
                          Can be specified multiple times. Default is the cur-
                          rent user's keychain search list.
          -n name         Specify a name to be verified, e.g. the SSL host
                          name for the ssl policy, or RFC822 email address for
                          the smime policy. For backward compatibility, if the
                          -n option is provided without an argument, it will
                          be interpreted as equivalent to -N.
          -N              Avoid searching any keychains.
          -L              Use local certificates only. If an issuing CA cer-
                          tificate is missing, this option will avoid access-
                          ing the network to fetch it.
          -l              Specifies that the leaf certificate is a CA cert. By
                          default, a leaf certificate with a Basic Constraints
                          extension with the CA bit set fails verification.
          -e emailAddress
                          Specify email address for the smime policy. (This
                          option is deprecated; use -n instead.)
          -s sslHost      Specify SSL host name for the ssl policy. (This
                          option is deprecated; use -n instead.)
          -q              Quiet, no stdout or stderr.
          -R revCheckOption
                          Specify a revocation checking option for this evalu-
                          ation (ocsp, crl, require, offline). Can be speci-
                          fied multiple times; e.g. to enable revocation
                          checking via either OCSP or CRL methods and require
                          a positive response, use "-R ocsp -R crl -R
                          require". The offline option will consult previously
                          cached responses, but will not make a request to a
                          revocation server.

          Examples

          security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl
                   -n store.apple.com

          security> verify-cert -r serverbasic.crt

   authorize [-updPiew] [right...]
          Authorize requested right(s).  The extend-rights flag will be passed
          by default.

          Options:
          -u              Allow user interaction.
          -p              Allow returning partial rights.
          -d              Destroy acquired rights.
          -P              Pre-authorize rights only.
          -l              Operate authorization in least privileged mode.
          -i              Internalize authref passed on stdin.
          -e              Externalize authref to stdout
          -w              Wait while holding AuthorizationRef until stdout is
                          closed. This will allow client to read externalized
                          AuthorizationRef from pipe.

          Examples

          security> security authorize -ud my-right
                   Basic authorization of my-right.

          security> security -q authorize -uew my-right | security -q
                   authorize -i my-right
                   Authorizing a right and passing it to another command as a
                   way to add authorization to shell scripts.

   authorizationdb read <right-name>

   authorizationdb write <right-name> [allow|deny|<rulename>]

   authorizationdb remove <right-name>
          Read/Modify authorization policy database. Without a rulename write
          will read a dictionary as a plist from stdin.

          Examples

          security> security authorizationdb read system.privilege.admin >
                   /tmp/aewp-def
                   Read definition of system.privilege.admin right.

          security> security authorizationdb write system.preferences <
                   /tmp/aewp-def
                   Set system.preferences to definition of system.privi-
                   lege.admin right.

          security> security authorizationdb write system.preferences
                   authenticate-admin
                   Every change to preferences requires an Admin user to
                   authenticate.

   execute-with-privileges <program> [args...]
          Execute tool with privileges.  On success stdin will be read and
          forwarded to the tool.

   leaks [-h] [-cycles] [-nocontext] [-nostacks] [-exclude symbol]
          Run /usr/bin/leaks on this process.  This can help find memory leaks
          after running certain commands.

          Options:
          -cycles         Use a stricter algorithm (See leaks(1) for details).
          -nocontext      Withhold the hex dumps of the leaked memory.
          -nostacks       Don't show stack traces of leaked memory.
          -exclude symbol
                          Ignore leaks called from symbol.

   smartcards token [-l] [-e token] [-d token]
          Enable, disable or list disabled smartcard tokens.

          Options:
          -l              List disabled smartcard tokens.
          -e token        Enable smartcard token.
          -d token        Disable smartcard token.

          To list tokens available in the system

          pluginkit -m -p com.apple.ctk-tokens

          Examples

          security smartcards token -l
          security smartcards token -d com.apple.CryptoTokenKit.pivtoken
          security smartcards token -e com.apple.CryptoTokenKit.pivtoken

   list-smartcards
          Display ids of available smartcards.

   export-smartcard token [-i id] [-t certs|privKeys|identities|all]
          Export items from a smartcard. If id isn't provided, items from all
          smartcards will be exported.

          Options:
          -i id           Export items from token specified by token id,
                          available ids can be listed by list-smartcards com-
                          mand.
          -t certs|privKeys|identities|all
                          Export items of the specified type (Default: all)

   error [-h] [<error code(s)...>]
          Display an error string for the given security-related error code.
          The error can be in decimal or hex, e.g. 1234 or 0x1234. Multiple
          errors can be separated by spaces.

ENVIRONMENT
     MallocStackLogging
              When using the leaks command or the -l option it's probably a
              good idea to set this environment variable before security is
              started.  Doing so will allow leaks to display symbolic back-
              traces.

FILES
     ~/Library/Preferences/com.apple.security.plist

              Property list file containing the current user's default key-
              chain and keychain search list.

     /Library/Preferences/com.apple.security.plist

              Property list file containing the system default keychain and
              keychain search list.  This is used by processes started at boot
              time, or those requesting to use the system search domain, such
              as system daemons.

     /Library/Preferences/com.apple.security-common.plist

              Property list file containing the common keychain search list,
              which is appended to every user's search list and to the system
              search list.

SEE ALSO
     certtool(1), leaks(1), pluginkit(8)

HISTORY
     security was first introduced in Mac OS X version 10.3.

BUGS
     security still needs more commands before it can be considered complete.
     In particular, it should someday supersede both the certtool and
     systemkeychain commands.

Darwin                          March 15, 2017                          Darwin