This guide provides an overview of how to access and utilize the Keychain Access Utility to troubleshoot common issues on macOS devices. It covers a range of scenarios including difficulties connecting to servers, irregularities with PEAP/EAP wireless connections, and issues requiring certificates or tokens for authentication. This document is intended to serve as a foundational reference for addressing these types of issues effectively.
Locating the Keychain Access Utility
To open the Keychain Access Utility, launch Finder and navigate to the following path:
Hard Drive > System > Library > CoreServices > Applications > Keychain Access
Alternatively, you can use Spotlight Search by clicking the magnifying glass icon in the upper-right corner of the desktop, near the clock. Type "Keychain Access" in the search bar and select it from the results.
⚠️ Note: You may be prompted with a dialog box asking whether you'd like to open Keychain Access or Passwords. Be sure to select Keychain Access.
The Keychain Access Window
Once opened, the Keychain Access window will appear. The majority of troubleshooting will take place within two key areas:
- Login Keychain
- System Keychain
Login Keychain
The Login Keychain manages items that are specific to the individual user. No administrative credentials are required to access it — the user simply needs to be logged in and have the Keychain Access application open. Items stored here include:
- Website passwords
- Application passwords
- Wi-Fi credentials
- Certificates and private keys tied to the user
- Secure notes
System Keychain
The System Keychain manages system-wide items and requires administrative credentials to access and modify. Items stored here include:
- System-level certificates
- Wi-Fi credentials shared across all users
- VPN credentials
- MDM and enrollment certificates
- Root and intermediate certificates
- Active Directory certificates and tokens
Real-World Example:
A common scenario where the System Keychain comes into play is when a user attempts to connect to a server — for example:
SMB://ads.case.edu/UGEN/Documents
The user enters their ABC123 username and corresponding password, but the authentication dialog simply shakes, indicating a failed login. Upon reviewing the Console logs, the error indicated an incorrect username was being used. The root cause was a stale or corrupt Active Directory token stored in the System Keychain for the UGEN connection. Once that token was deleted, the user was able to connect successfully.
This is a good example of the types of issues the System Keychain can cause and why it's an important area to check during troubleshooting.
Resetting the Keychain (Nuclear Option)
If standard troubleshooting steps have been exhausted, it is possible to perform a full Keychain reset, which will clear all stored data and restore the keychain to its default state. To do this:
- Open Keychain Access
- In the menu bar, click Keychain Access
- Select Keychain Access Settings
- Click Reset Default Keychains
🚨 WARNING: Resetting the keychain will permanently erase all saved passwords, including Wi-Fi credentials, application passwords, and any other stored items. While this will resolve keychain-related issues, it is critical that the user is fully informed of the consequences before proceeding. This should be used as a last resort only.