What is the macOS equivalent of Windows certificate store names?

macos keychain certificate

The equivalent on macOS is the Keychain name.

On Windows you have for example the "Current User Certificate Store". The corresponding on macOS would be the user's login keychain: ~/Library/Keychains/login.keychain-db. There's one for each user on the system, and stores the certificates relevant to that user only.

On Windows you have the "Local Machine Certificate Store" that holds certificates added by users to be accessed by all users on the local computer. The corresponding on macOS would be the System keychain: /Library/Keychains/System.keychain

On Windows you have the "Trusted Root Certification Authorities Certificate Store" that holds CA certificates trusted by the operating system in general. The corresponding on macOS is the System Root Certificates keychain: /System/Library/Keychains/SystemRootCertificates.keychain

You can list the certificates in each of those keychains by using the built-in security command. For example to get an overview list:

security find-certificate -a ~/Library/Keychains/login.keychain-db
security find-certificate -a /Library/Keychains/System.keychain
security find-certificate -a /System/Library/Keychains/SystemRootCertificates.keychain

or to export the actual certificates in PEM format:

security find-certificate -a -p ~/Library/Keychains/login.keychain-db
security find-certificate -a -p /Library/Keychains/System.keychain
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain

The exception to the rule above is what is known as the "Trusted Publishers Certificate Store" in Windows - this is not stored in a Keychain on macOS, but instead in a system assessment rule database. The name of that is: /var/db/SystemPolicy

You can create a list of those with the following command:

sudo spctl --list --type execute

The output is a list of assessment rules, which besides a few generic, Apple specific rules, is basically a list of the hashes of the certificates of the trusted publishers.

The actual certificate information cannot be exported from the SystemPolicy database, as they're not contained there. You can however get to that data by traversing the installed applications (for example in /Applications) and running:

codesign -d -r- -vvvv /Applications/AnApp.app

This allows you to gather information such as the publisher's name, subject organisational unit, CA name (Apple Root CA) and timestamps.

Related

Run the macOS desktop environment on Linux [closed]
SVN Checkin Failure(sqlite[S5]: database is locked)
Remote Desktop connection to Azure AD Joined computer
Am I doing Google Cloud deployment wrong?
loading additional modules with ansible tower
Blocking all ports except 80 and 443 with cloudflare
How to prevent a SFTP user from seeing other directories?
Are Samsung B-Die and C-Die Compatible?
What's necessary for a bare metal dual stack kubernetes setup?
Trouble with Subordinate CA - Unable to submit CSR
Boot to GRUB by default (choose OS to boot every time) [closed]
Ansible WinRM Error when collecting winrm facts: You cannot call a method on a null-valued expression message