security Get/Set Identity preference

   set-identity-preference [-h] [-n] [-c identity] [-s service] [-u keyUsage] [-Z hash] [keychain...]
            Set the preferred identity to use for a service.

            -n              Specify no identity (clears existing preference for the given service)
            -c identity     Specify identity by common name of the certificate
            -s service      Specify service (may be a URL, RFC822 email address, DNS host, or other name)
                            for which this identity is to be preferred
            -u keyUsage     Specify key usage (optional)
            -Z hash         Specify identity by SHA-1 hash of certificate (optional)

The identity is located by searching the specified keychain(s) for a certificate whose common name contains the given identity string. If no keychains are specified to search, the default search list is used. Different identity preferences can be set for individual key usages. You can differentiate between two identities which contain the same string by providing a SHA-1 hash of the certificate (in addition to, or instead of, the name.)


Prior to 10.5.4, identity preferences for SSL/TLS client authentication could only be set on a per-URL basis. The URL being visited had to match the service name exactly for the preference to be in effect.

In 10.5.4, it became possible to specify identity preferences on a per-server basis, by using a service name with a partial path URL to match more specific paths on the same server. For example, if an identity preference for "" exists, it will be in effect for "", and so on. Note that partial path URLs must end with a trailing slash character.

Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by using the wildcard character '*' as the leftmost component of the service name. Unlike SSL wildcards, cards, an identity preference wildcard can match more than one subdomain. For example, an identity preference for the name "*" will match "" or "". Likewise, a preference for "*.mil" will match both "" and "".

            KEY USAGE CODES

                 0 - preference is in effect for all possible key usages (default)
                 1 - encryption only
                 2 - decryption only
                 4 - signing only
                 8 - signature verification only
                16 - signing with message recovery only
                32 - signature verification with message recovery only
                64 - key wrapping only
               128 - key unwrapping only
               256 - key derivation only

            To specify more than one usage, add values together.

   get-identity-preference [-h] [-s service] [-u keyUsage] [-p] [-c] [-Z]
            Get the preferred identity to use for a service.

            -s service      Specify service (may be a URL, RFC822 email address, DNS host, or other name)
            -u keyUsage     Specify key usage (optional)
            -p              Output identity certificate in pem format
            -c              Print common name of the preferred identity certificate
            -Z              Print SHA-1 hash of the preferred identity certificate

“Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing” ~ Helen Keller

Related macOS commands

security - Administer Keychains, keys, certificates and the Security framework.

Copyright © 1999-2024
Some rights reserved