Removing/Replacing Root Certificate from System Keychains

The certificate that I used to access my emails via SSL IMAP has expired yesterday. Well, it is actually not the certificate used by the Courier IMAP software on my Linux server, but the self-signed CA's certificate that I've created 3 years ago, which has been used to sign a few different applications. I should have created that CA certificate with 10 years expiry, but now I have to work out how to replace all my signed certificates and computers to accept this new CA certificate.

That's where my struggle begins. I downloaded the x509 certificate onto the desktop, and then double-click on the file. Keychains pops up asking me where I want to import the certificate to. I picked "X509Anchor" as it should be where the root certificates are. However, Keychains failed to import that certificate for me after I authenticated myself, as it displayed this error:

Keychains Error on Importing X509

D'oh. Running certtool confirms that the old certificate is in the X509Anchor keychains. Doing from the command line does not help.

  $ sudo certtool i ca.pem k=/System/Library/Keychains/X509Anchors
  Password:
  ***Error adding certificate to keychain

Looking through the help, there is no way I can remove an old certificate using certtool. That left me wondering, how can I replace my CA's certificate when it expires? I am still searching for answer.

Update 10 Dec 2003 at 6:50am: Got a solution now. To remove the CA certificate, I have to:

  • Open "Keychain Access" from /Applications/Utilities.
  • From menu, select [File] -> [Add Keychain]
  • Navigate to /System/Library/Keychains, and then add X509Anchor
  • All the certificate will then be displayed in the Keychain Access window. Now select the expired root certificate.
  • Click on delete, enter in authentication information, and then it will be removed from the keychains.

After the expired certificate has been removed, I have no problem importing a newly generated self-signed certificate from the same private key. Mail.app is working again!