set-identity-preference [-h] [-n] [-c identity] [-s service] [-u keyUsage] [-Z hash] [keychain...]
Set the preferred identity to use for a service.
-n Specify no identity (clears existing preference for the given service)
-c identity Specify identity by common name of the certificate
-s service Specify service (may be a URL, RFC822 email address, DNS host, or other name)
for which this identity is to be preferred
-u keyUsage Specify key usage (optional)
-Z hash Specify identity by SHA-1 hash of certificate (optional)
The identity is located by searching the specified keychain(s) for a certificate whose common
name contains the given identity string. If no keychains are specified to search, the default
search list is used. Different identity preferences can be set for individual key usages. You
can differentiate between two identities which contain the same string by providing a SHA-1 hash
of the certificate (in addition to, or instead of, the name.)
PARTIAL PATHS AND WILDCARDS
Prior to 10.5.4, identity preferences for SSL/TLS client authentication could only be set on a
per-URL basis. The URL being visited had to match the service name exactly for the preference to
be in effect.
In 10.5.4, it became possible to specify identity preferences on a per-server basis, by using a
service name with a partial path URL to match more specific paths on the same server. For example, if an identity preference for "https://www.apache-ssl.org/" exists, it will be in effect
for "https://www.apache-ssl.org/cgi/cert-export", and so on. Note that partial path URLs must
end with a trailing slash character.
Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by
using the wildcard character '*' as the leftmost component of the service name. Unlike SSL wildcards,
cards, an identity preference wildcard can match more than one subdomain. For example, an identity
preference for the name "*.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdomain2.army.mil". Likewise, a preference for "*.mil" will match both "server.army.mil" and "server.navy.mil".
KEY USAGE CODES
0 - preference is in effect for all possible key usages (default)
1 - encryption only
2 - decryption only
4 - signing only
8 - signature verification only
16 - signing with message recovery only
32 - signature verification with message recovery only
64 - key wrapping only
128 - key unwrapping only
256 - key derivation only
To specify more than one usage, add values together.
get-identity-preference [-h] [-s service] [-u keyUsage] [-p] [-c] [-Z]
Get the preferred identity to use for a service.
-s service Specify service (may be a URL, RFC822 email address, DNS host, or other name)
-u keyUsage Specify key usage (optional)
-p Output identity certificate in pem format
-c Print common name of the preferred identity certificate
-Z Print SHA-1 hash of the preferred identity certificate
“Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing” ~ Helen Keller
Related macOS commands:
security - Administer Keychains, keys, certificates and the Security framework.