How to Manage Passwords and Certificates with Keychain Access on macOS
A complete walkthrough of Keychain Access — viewing saved passwords, storing new items securely, managing certificates, and understanding how iCloud Keychain syncs credentials across your devices.
Keychain Access is macOS’s built-in credential manager — it stores website passwords, Wi-Fi passwords, certificates, and secure notes in an encrypted store, and it’s the same system Safari and countless apps quietly rely on every time they “remember” a password for you.
Step 1: open Keychain Access
Applications → Utilities → Keychain Access
Step 2: understand the keychain list on the left
The login keychain is unlocked automatically with your user password and holds most everyday items; the System keychain holds items available to all users and system processes, including Wi-Fi network passwords. iCloud-synced items appear under iCloud Keychain when it’s enabled.
Step 3: find a saved password
Search field (top-right) → type the service name, e.g. "netflix"
Double-click the result, then check Show password — macOS will prompt for your account password before revealing it, since password items are encrypted at rest even from your own view.
Step 4: add a new password item manually
File → New Password Item…
Keychain Item Name: my-server.example.com
Account Name: admin
Password: ••••••••
This is useful for storing credentials for things outside a browser’s own password manager — a database connection, an internal tool, an SSH passphrase reminder — in the same encrypted store macOS already protects.
Step 5: enable iCloud Keychain to sync across devices
System Settings → [your name] → iCloud → Passwords and Keychain → toggle on
Once enabled, passwords saved in Safari or via Keychain Access sync to your other Macs and iOS devices signed into the same Apple ID, encrypted end-to-end in transit and at rest.
Step 6: inspect and manage certificates
Keychain Access → Certificates (category, bottom-left)
This is where TLS/SSL certificates, code-signing certificates, and trust settings for your own or third-party certificate authorities live — relevant when a corporate VPN, an internal company site, or a development certificate needs to be trusted manually.
Step 7: manually trust (or distrust) a certificate
Double-click a certificate → "Trust" section →
"When using this certificate" → set to Always Trust (or Never Trust)
Changing trust here affects how the whole system — not just one browser — evaluates that certificate going forward.
Step 8: audit for old or unused items periodically
Keychain Access → View → Show Deleted Items
(also worth reviewing the full password list for entries tied to services you no longer use)
Old, unused credentials sitting in the keychain aren’t actively dangerous, but a periodic cleanup makes it easier to spot anything that genuinely looks unfamiliar.
Step 9: export or back up a keychain (with caution)
Right-click the login keychain → Export Items…
Exported keychain files are password-protected, but treat the exported file itself as sensitive — it contains the same credentials as the live keychain and should never be stored somewhere less secure than the Mac it came from.
Why this matters beyond “Safari remembers my password”
Keychain Access is the visible tip of a system-wide credential store that Mail, VPN clients, Wi-Fi, and countless third-party apps all read from via macOS’s Keychain Services API — understanding it directly gives you visibility into, and control over, credentials that were often saved automatically without you ever seeing this interface at all.