SearchSupportDocsFree trial
Contact us

Knowledge Base

Knowledge BaseEmail (S/MIME)

How to Change the Trust Settings of a Certificate in Keychain Access on Mac? 

Updated on June 2, 2026

Overview 

By the end of this article, a Mac user will have selected a certificate in Keychain Access on macOS and saved a new trust setting for it — Always Trust, Never Trust, or Use System Defaults — so that applications and secure connections that rely on the certificate behave the way the user intends. The procedure covers opening Keychain Access, choosing the correct keychain and category, opening the certificate, expanding the Trust panel, selecting the new trust preference, and authenticating the change with an administrator password. The article also explains how to verify the change and the security considerations that apply when overriding the default trust behavior, especially for System and System Roots certificates. 

What is Keychain Access? 

Keychain Access is the built-in macOS application that stores passwords, keys, and digital certificates. Each certificate has a set of trust settings that tell macOS whether to trust the certificate for purposes such as Secure Sockets Layer (SSL) connections, code signing, or email signing. Changing those trust settings lets a user override the system default for a single certificate without affecting other certificates. 

Who this is for 

This article is written for IT administrators, developers, and advanced Mac users who need to manage certificate trust on macOS. The procedure applies to any macOS version that ships with Keychain Access and works for certificates already imported into the login, System, or System Roots keychain. 

Prerequisites 

Confirm the following before starting the procedure: 

  • Administrator access to the Mac. 

  • The certificate is already installed in Keychain Access. 

  • An understanding of the security impact of changing trust settings, especially for System or System Roots certificates. 

Procedure 

Step 1 — Open Keychain Access 

1. Press Command (⌘) + Spacebar to open Spotlight Search. 

2. Type Keychain Access and press Return. 

Step 2 — Select a keychain and the Certificates category 

1. In the Keychains sidebar at the top-left, choose the keychain that holds your certificate (for example, login, System, or System Roots). 

2. In the Category section, click Certificates. 

Keychain Access window with the login keychain selected in tKeychain Access window with the login keychain selected in the left sidebar and the My Certificates tab active, listing certificates with name, kind, expiration, and keychain columns. 

Image 1 — Keychain Access with the login keychain and the Certificates category selected. 

Step 3 — Open the certificate 

1. Double-click the certificate you want to modify. 

2. A new window opens with the certificate details and a collapsed Trust section above the Details section. 

Certificate detail window in Keychain Access showing the issCertificate detail window in Keychain Access showing the issuer Sectigo Public Email Protection CA R36, an expiration date, a not-trusted indicator, and the collapsed Trust and Details disclosure rows. 

Image 2 — Certificate detail window with the Trust and Details rows collapsed. 

Step 4 — Show the trust settings 

1. In the certificate window, click the disclosure arrow next to Trust to expand the trust settings panel. 

Same certificate detail window with a red arrow pointing at Same certificate detail window with a red arrow pointing at the disclosure triangle next to the Trust label, indicating where to click to expand the trust settings. 

Image 3 — Click the disclosure arrow next to Trust to expand the trust panel. 

Step 5 — Choose a new trust setting and save 

1. Use the When using this certificate pop-up menu, or any of the per-purpose pop-ups, to choose how macOS should trust the certificate (Always Trust, Never Trust, or Use System Defaults). 

2. Close the certificate window. When prompted, enter the administrator name and password to save the change. 

Expanded Trust panel listing per-purpose pop-up menus for SeExpanded Trust panel listing per-purpose pop-up menus for Secure Sockets Layer SSL, Secure Mail SMIME, Extensible Authentication EAP, IP Security IPsec, Code Signing, Time Stamping, and X.509 Basic Policy, each set to Always Trust. 

Image 4 — Expanded Trust panel with per-purpose pop-ups set to Always Trust. 

How to verify success 

Reopen the certificate in Keychain Access and confirm that the Trust panel shows the new setting. Then test the application or secure connection that depends on the certificate (for example, a browser, mail client, or development tool) and confirm that no trust-related warnings appear and that the connection behaves as expected. 

Important note 

Be cautious when changing trust settings. 

Overriding the default trust for a System or System Roots certificate can weaken the security posture of the Mac and can produce silent failures or unexpected security warnings in connected applications. Only change trust settings on certificates you have explicitly verified, and revert the change as soon as it is no longer required. 

 

Related articles 

How to generate a Certificate Signing Request (CSR) for S/MIME certificates on macOS using Keychain Access

Need assistance?

Contact our team for help with your purchase or issuing your certificate.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources