Certificate Depot

Guides

Home › Guides › Trust on macOS

How to Trust a Self-Signed Certificate on macOS

Add your certificate to the macOS System keychain so Safari, Chrome, curl, and most other tools trust it.

macOS uses a unified keychain system that's shared across most applications — Safari, Chrome, curl, git, and many others. Adding your self-signed certificate once usually makes it trusted everywhere (Firefox is an exception; see our Firefox guide).

GUI: Keychain Access

  1. Open Keychain Access (Spotlight: Cmd+Space, type "Keychain").
  2. From the menu: File › Import Items.
  3. Select your .pem or .crt file.
  4. When asked which keychain, choose System (requires admin password). Choose login to trust it only for your user.
  5. Find the imported certificate, double-click it.
  6. Expand the Trust section.
  7. Change "When using this certificate" to Always Trust.
  8. Close the dialog — you'll be prompted for your password to save.

Command Line

For scripting or CI, use the security tool. This adds and fully trusts the cert in one step:

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain /path/to/certificate.pem

Flags explained: -d = admin domain, -r trustRoot = trust as root CA, -k = keychain path.

To remove it later:

sudo security delete-certificate -c "Your Certificate CN" \
  /Library/Keychains/System.keychain

Verify It Worked

Restart your browser (it caches the trust store at startup). Then use one of these:

# Inspect via curl
curl -I https://your-domain.local/

# Inspect the trust with security
security verify-cert -c certificate.pem

# View the cert that a server is serving
echo | openssl s_client -connect your-domain.local:443 2>/dev/null \
  | openssl x509 -noout -subject -issuer

Common Issues

Still getting "certificate not trusted" in Chrome

Fully quit Chrome (Cmd+Q) and reopen. Chrome only reads the trust store at startup.

Certificate has no SAN

Even when fully trusted in macOS, Chrome and Safari will reject certificates without a Subject Alternative Name matching the hostname. Use our generator which includes SANs, or regenerate with openssl using the -addext flag.

The cert imports but stays "Not Trusted"

You imported it to the login keychain without changing the trust setting. Double-click the cert in Keychain Access and set "Always Trust".

Need a self-signed certificate? Use our free generator — browser-compatible SANs, RSA or ECDSA, ZIP or PFX. No signup, no ads, keys never stored.

Further Reading