DEV Community

Dima Stopel
Dima Stopel

Posted on • Originally published at cert-depot.com

How to Trust a Self-Signed Certificate on macOS

#ssl #tls #tutorial #security

Originally published on cert-depot.com. Free, open-source self-signed certificate generator — no signup, keys never stored.

How to Trust a Self-Signed Certificate on macOS

Add your certificate to the macOS System keychain so Safari, Chrome, curl, and most other tools trust it.

macOS uses a unified keychain system that's shared across most applications — Safari, Chrome, curl, git, and many others. Adding your self-signed certificate once usually makes it trusted everywhere (Firefox is an exception; see our Firefox guide).

GUI: Keychain Access

  • Open Keychain Access (Spotlight: Cmd+Space, type "Keychain").
  • From the menu: File › Import Items.
  • Select your .pem or .crt file.
  • When asked which keychain, choose System (requires admin password). Choose login to trust it only for your user.
  • Find the imported certificate, double-click it.
  • Expand the Trust section.
  • Change "When using this certificate" to Always Trust.
  • Close the dialog — you'll be prompted for your password to save.

Command Line

For scripting or CI, use the security tool. This adds and fully trusts the cert in one step:

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain /path/to/certificate.pem
Enter fullscreen mode Exit fullscreen mode

Flags explained: -d = admin domain, -r trustRoot = trust as root CA, -k = keychain path.

To remove it later:

sudo security delete-certificate -c "Your Certificate CN" \
  /Library/Keychains/System.keychain
Enter fullscreen mode Exit fullscreen mode

Verify It Worked

Restart your browser (it caches the trust store at startup). Then use one of these:

# Inspect via curl
curl -I https://your-domain.local/

# Inspect the trust with security
security verify-cert -c certificate.pem

# View the cert that a server is serving
echo | openssl s_client -connect your-domain.local:443 2>/dev/null \
  | openssl x509 -noout -subject -issuer
Enter fullscreen mode Exit fullscreen mode

Common Issues

Still getting "certificate not trusted" in Chrome

Fully quit Chrome (Cmd+Q) and reopen. Chrome only reads the trust store at startup.

Certificate has no SAN

Even when fully trusted in macOS, Chrome and Safari will reject certificates without a Subject Alternative Name matching the hostname. Use our generator which includes SANs, or regenerate with openssl using the -addext flag.

The cert imports but stays "Not Trusted"

You imported it to the login keychain without changing the trust setting. Double-click the cert in Keychain Access and set "Always Trust".

Further Reading

Top comments (0)