This is something I noticed well over a year ago. I filed a bug report and forgot about it. I revisited this issue, and it still isn't fixed in Mavericks. I'm hoping that more bug reports will get someone to act.
In a nutshell, you can use /usr/bin/security to find or delete certificates by their common name or their SHA-1 hash. Since the names can be full of gibberish, the hash is the best way to handle this… but that functionality doesn't work. Specifying any hash always returns the same certificate:
flamingo:~ joliver$ security find-certificate -Z B80186D1EB9C86A54104CF3054F34C52B7E558C6 /System/Library/Keychains/SystemRootCertificates.keychain
SHA-1 hash: 2DFF6336E33A4829AA009F01A1801EE7EBA582BB
keychain: "/System/Library/Keychains/SystemRootCertificates.keychain"
class: 0x80001000
attributes:
"alis"<blob>="Prefectural Association For JPKI"
"cenc"<uint32>=0x00000003
"ctyp"<uint32>=0x00000001
"hpky"<blob>=0xD4173220AA40D911D8E69999080BB5FF2647CA7C "\324\0272 \252@\331\021\330\346\231\231\010\013\265\377&G\312|"
"issu"<blob>=0x305A310B3009060355040613024A50310D300B060355040A0C044A504B4931293027060355040B0C20507265666563747572616C204173736F63696174696F6E20466F72204A504B493111300F060355040B0C084272696467654341 "0Z1\0130\011\006\003U\004\006\023\002JP1\0150\013\006\003U\004\012\014\004JPKI1)0'\006\003U\004\013\014 Prefectural Association For JPKI1\0210\017\006\003U\004\013\014\010BridgeCA"
"labl"<blob>="Prefectural Association For JPKI"
"skid"<blob>=0xD4173220AA40D911D8E69999080BB5FF2647CA7C "\324\0272 \252@\331\021\330\346\231\231\010\013\265\377&G\312|"
"snbr"<blob>=0x01
"subj"<blob>=0x305A310B3009060355040613024A50310D300B060355040A0C044A504B4931293027060355040B0C20507265666563747572616C204173736F63696174696F6E20466F72204A504B493111300F060355040B0C084272696467654341 "0Z1\0130\011\006\003U\004\006\023\002JP1\0150\013\006\003U\004\012\014\004JPKI1)0'\006\003U\004\013\014 Prefectural Association For JPKI1\0210\017\006\003U\004\013\014\010BridgeCA"
flamingo:~ joliver$ security find-certificate -Z E7B4F69D61EC9069DB7E90A7401A3CF47D4FE8EE /System/Library/Keychains/SystemRootCertificates.keychain
SHA-1 hash: 2DFF6336E33A4829AA009F01A1801EE7EBA582BB
keychain: "/System/Library/Keychains/SystemRootCertificates.keychain"
class: 0x80001000
attributes:
"alis"<blob>="Prefectural Association For JPKI"
"cenc"<uint32>=0x00000003
"ctyp"<uint32>=0x00000001
"hpky"<blob>=0xD4173220AA40D911D8E69999080BB5FF2647CA7C "\324\0272 \252@\331\021\330\346\231\231\010\013\265\377&G\312|"
"issu"<blob>=0x305A310B3009060355040613024A50310D300B060355040A0C044A504B4931293027060355040B0C20507265666563747572616C204173736F63696174696F6E20466F72204A504B493111300F060355040B0C084272696467654341 "0Z1\0130\011\006\003U\004\006\023\002JP1\0150\013\006\003U\004\012\014\004JPKI1)0'\006\003U\004\013\014 Prefectural Association For JPKI1\0210\017\006\003U\004\013\014\010BridgeCA"
"labl"<blob>="Prefectural Association For JPKI"
"skid"<blob>=0xD4173220AA40D911D8E69999080BB5FF2647CA7C "\324\0272 \252@\331\021\330\346\231\231\010\013\265\377&G\312|"
"snbr"<blob>=0x01
"subj"<blob>=0x305A310B3009060355040613024A50310D300B060355040A0C044A504B4931293027060355040B0C20507265666563747572616C204173736F63696174696F6E20466F72204A504B493111300F060355040B0C084272696467654341 "0Z1\0130\011\006\003U\004\006\023\002JP1\0150\013\006\003U\004\012\014\004JPKI1)0'\006\003U\004\013\014 Prefectural Association For JPKI1\0210\017\006\003U\004\013\014\010BridgeCA"
I'm hoping that getting more than one or two reports will stir Apple to fix this. I just resubmitted a bug report under my own account (the first time, I had to use someone else's as it took Apple weeks or even a couple of months to let me be able to log in, that's another story :-) ) It's unfathomable to me that nobody can see any bug reports other than their own, it's yet another way Apple really falls down, but THAT'S another issue too :-)
--
John Oliver | SAIC
Defense & Maritime Solutions
Surveillance and Reconnaissance Solutions Division
SPAWAR Systems Center Pacific | Code 53223
Sr. Systems Administrator
Bldg 600 | Room 428N
Office: (619) 553-9567
email@hidden
email@hidden
DCO: email@hidden