cURL / Mailing Lists / curl-library / Single Mail


Re: curl importing certs into mac keystore?

From: Nick Zitzmann <>
Date: Sun, 8 Nov 2015 12:28:52 -0600

> On Nov 3, 2015, at 6:14 AM, Daniel Stenberg <> wrote:
> I fell over this tweet just a while ago and it seems curl does something unexpected here or at the very least undocumented:
> "invoking curl --cert ./smthng.p12 on OSX stores cert and key(!) in your
> Keychain for later use in i.e. Safari." [1]
> Is this intended? If not, we should fix it. If it is, we should document it.

I checked this, and yes, as of OS X 10.11, importing a P12 identity using curl does cause it to get written to the Keychain. However...

1. We aren't doing this intentionally; the Security framework must be doing this when either importing the P12 file using SecPKCS12Import() or setting the identity in the context using SSLSetCertificate().

2. This isn't a security hole, since the user's Keychain is a protected area, and someone can't just come along and read the private key without authentication.

Want me to document it?

Nick Zitzmann

List admin:
Received on 2015-11-08