It took me almost 13 years, but I finally sat down and solved a problem that has annoyed me since Mac OS X 10 Public Beta: synchronizing OpenSSL's trusted certificate authorities with Mac OS X's trusted certificate authorities.
The issue is simple enough; certificate authorities are used to verify the signatures on x509 certificates presented by servers when you connect over SSL/TLS. Mac OS X's SSL APIs have one set of certificates, OpenSSL has another set, and OpenSSL doesn't ship any by default.
The result of this certificate bifurcation:
Given that computers can automate the mundane, I finally put aside some time to write certsync (permanent viewvc).
It's a simple, single-source-file utility that reads all trusted CAs via Mac OS X's keychain API, and then spits them out as an OpenSSL PEM file. If you pass it the -s flag, it will continue to run after the first export, automatically regenerating the output file when the system trust settings or certificate authorities are modified.
I wrote the utility for use in MacPorts; it's currently available as an experimental port. If you'd like to test it out, it can be installed via:
port -f deactivate curl-ca-bundle port install certsync port load certsync # If you want the CA certificates to be updated automatically
Note that forcibly deactivating ports is not generally a good idea, but you can easily restore your installation back to the expected configuration via:
port uninstall certsync port activate curl-ca-bundle
Or, you can build and run it manually:
clang -mmacosx-version-min=10.6 certsync.m -o certsync -framework Foundation -framework Security -framework CoreServices ./certsync -s -o /System/Library/OpenSSL/cert.pem
I also plan to investigate support for Java JKS truststore export (preferably before 2026).