Skip to main content

Adding Self-Signed CA to Safari, Chrome & Chromium-based Browsers on macOS

MacOS uses the Key Chain access to manage the CAs for Safari and Chrome.

Double-click the exported CA. Enter your MacOS User account credential to allow Keychain Access to add the CA to the Keychain store.

Screen Shot 2021-07-20 at 22.59.06.png

Screen Shot 2021-07-20 at 23.01.43.png

Once you added the CA, open up the Keychain app. You will notice that there is a red X in the icon next to the name of the CA you just imported. This means that the CA is not trusted.

By default, MacOS will not trust all manually added CA initially. You will have to explicitly tell MacOS and manually set the CA to be trusted.

Double-click on the CA within Keychain Access, and expand the Trust drop-down. Select Always Trust option for Secure Socket Layer (SSL). This is the minimum amount of trust necessary for it to identify internal HTTPS websites.

Screen Shot 2021-07-20 at 23.03.50.png

Screen Shot 2021-07-20 at 23.05.12.png

One thing to note is that due to Apple’s stance on shorter certificate lifetime, Safari or Chrome will throw Not Secure errors if your self-sign certificate is valid for more than 395 days, like below:

Screen Shot 2021-07-20 at 23.10.00.png

If you have the certificate validity set to 395 days or less, the browser will happily accept it and give you the green secure connection symbol:

Screen Shot 2021-07-20 at 23.11.30.png