The OS X keychain is where all of the trusted Certification Authorities, certificates, keys, and stored passwords are kept in OS X (Tiger and Leopard). All Apple software, and a lot of third-party software use it. The notable exceptions are Firefox and Thunderbird, which use their own built-in stores. You can access Keychain through Applications -> Utilities -> Keychain Access.

Left side bar of Keychain
Left side bar of Keychain

On the top left hand side bar, you’ll have at least two “keychains”: login and System Roots (X509Anchors on Tiger). Depending on what other software you have installed (*cough* Microsoft Office *cough*) and what configuration options you choose (joined to a Windows domain), you may have more. On the bottom left side bar, you can filter on the types of items stored in Keychain. You may notice the “Secure Notes” option – you can store any text in Keychain, and it’ll be encrypted and synced with the rest of Keychain’s data. Unless you’ve used to send or receive signed and encrypted e-mail, you likely only have items under “Passwords”.

Keychain stores all of this sensitive information for you – in 3DES, 3-key, EDE encrypted format (the sensitive parts only – known public information, such as public keys, are not encrypted). The keys are tied to your login password, so it’s automatically unlocked for you when you log in (you can change this in the Keychain preferences). If you have .mac/MobileMe, you can have Keychain synchronize itself across your macs, again – encrypted.

If you use S/MIME mail (encrypted with certificates), all of the certificates of the people who have sent you signed messages are located here. If you double click on a certificate file (usually .cer or .der), Keychain will walk you through importing that certificate.

Clicking on a certificate
Clicking on a certificate

Usually, you want to add the certificate to the login keychain. If, however, you want all users on a system to be able to use that certificate, you can add it to the system keychain. The final task is to determine how much (or little) you trust the certificate. By double clicking on the certificate you just added (in Keychain), you can adjust your trust settings.

Trust Settings
Trust Settings

For the most part, with regular certificates (not CA certificates), “Use System Settings” is sufficient (and the default). You only need to change this for CA certificates or when you want to restrict how the certificate can be used. CA certificates that you add must be explicitly trusted, by choosing “Always Trust” or “Use Custom Settings” on Leopard, or by adding it to the X509Anchors keychain in Tiger. Adjusting the trust settings allows you to say that you’ll trust a certificate (CA) for certain things, like e-mail or iChat, but not for IPSEC (VPN).

For whom it matters: Keychain is not currently FIPS 140-2 level 1 certified. It is however in the process, and current details can always be found at It’s also Common Criteria Certified ( for Jaguar, and it looks like for Tiger and Leopard as well, but that’s not clear.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

6 thoughts on “OS X Keychain

  1. Pingback: Security Musings
  2. Office 2007 says:

    Great article, thanks for the share. Blog bookmarked 🙂

  3. Ivan Rudolf says:

    damn good advice and sharing,I will buy one elegant apple for me .thanks,Joe

  4. Hyman Keifer says:

    I am definitly bookmarking this site. Thanks for the resource.

Comments are closed.