How to use/add a self-signed certificate to Mac OS

For example, you have a website / git repository, etc. And you

  • don’t want to use Let’s Encrypt to get certificates,
  • or it is a purely internal service, so we are quite satisfied with a self-signed certificate.

In any case, we need to add a self-signed certificate to the Mac OS certificate store. Otherwise, you will receive an error message such as “invalid certificate” when using this service over HTTPS.

To do this, first pull out the PEM certificate:

openssl s_client -connect {{ host }}:443 -showcerts 
  < /dev/null 2>/dev/null 
  | awk '/BEGIN/{r=""}/BEGIN/,/END/{r = r ORS $0}END{print r}' 
  > cert.pem

— Save it into cert.pem file.

Now we can add it into Mac OS certificate store:

sudo security add-trusted-cert -d -r trustRoot -k 
  /Library/Keychains/System.keychain cert.pem

Google Chrome will pick it up after the next reboot. Well, various network utilities will also use it. All done!