Change certificate trust policies on Mac
Certificates are widely used to secure electronic information. For example, a certificate might allow you to sign email, encrypt a document, or connect to a secure network. Each type of use is governed by a trust policy, which determines whether a certificate is valid for that use. A certificate may be valid for some uses but not for others.
macOS uses a number of trust policies to determine whether a certificate is trusted. You can choose a different policy for each certificate, providing a greater amount of control over how certificates are evaluated.
Trust Policy | Description |
---|---|
Use System Defaults or no value specified | Use the default setting for the certificate. |
Always Trust | Trust the author and always allow access to the server or app. |
Never Trust | Don’t trust the author and don’t allow access to the server or app. |
Secure Sockets Layer (SSL) | The name in a server’s certificate must match its DNS host name to successfully establish a connection. The host name check is not performed for SSL client certificates. If there is an extended key usage field, it must contain an appropriate value. |
Secure Mail (S/MIME) | Email uses S/MIME to securely sign and encrypt messages. The user’s email address must be listed in the certificate, and key usage fields must be included. |
Extensible Authentication Protocol (EAP) | When you connect to a network that requires 802.1X authentication, the name in the server’s certificate must match its DNS host name. Host names for client certificates are not checked. If an extended key usage field is present, it must contain an appropriate value. |
IP Security (IPSec) | When certificates are used to secure IP communications (for example, in establishing a VPN connection), the name in the server’s certificate must match its DNS host name. Host names for client certificates are not checked. If an extended key usage field is present, it must contain an appropriate value. |
Code Signing | The certificate must contain key usage settings that explicitly permit it to sign code. |
Time Stamping | This policy determines whether the certificate can be used to create a trusted time stamp, which verifies that a digital signature occurred at a particular time. |
X.509 Basic Policy | This policy determines the validity of the certificate against basic requirements such as being issued from a valid certificate authority, but without concern for the purpose or the allowed key usage. |