How to repair your keychain by making a fresh one

keychainrep1

As of OS X 10.11.2, Apple removed the repair feature in its Keychain Access app, for security reasons. If you have a defective keychain, the only way that you can try to fix it now is to make a fresh one, and copy over as much as you can from your old keychain. Although this article has been written using Keychain Access 9.0 in macOS Sierra 10.12.1, these instructions should hold good for El Capitan too.

If you have iCloud Keychain enabled, you should read Apple’s guidance on this. You may find it best to turn this off before you perform any of this. However, in theory at least, with iCloud Keychain enabled, you should not have to repair a keychain.

keychainrep1

Locate the app Keychain Access, in the Utilities folder of your top-level Applications folder. You cannot move or remove this app, as it is protected by SIP in Sierra.

keychainrep3

Normally when you first open the app, it opens login, which is the current user’s login keychain, used from authentication at login. In normal circumstances, it should be left unlocked from then on. If it is locked, see this article for dealing with that issue.

keychainrep2

Apple provides a shortcut for creating a new default keychain in the Preferences dialog of Keychain. Open Preferences, and click on the Reset My Default Keychain button at the bottom if you wish to use this. It will then create a new empty login keychain, and rename the old one, from which you can copy the contents over to the new login keychain.

keychainrep4

Alternatively, you can use the New Keychain… command in the File menu to create a new empty keychain, although that will not then be named login, which is the standard default keychain. Give it a name such as newlogin, and save it to the default Keychains folder. You will then be prompted to enter a new password for it: enter your normal login password here, so that it starts off in sync with your login password.

keychainrep5

keychainrep6

If you want to give it a new password, you can click on the key button and get the helper to construct one for you.

Whichever approach you use, your new keychain is empty. You now have to populate it from your old one. Select the keychain from which you wish to copy, and ensure the category at the lower left is set to All Items. The Select all command in the Edit menu (Command-A as usual) selects all the items in that keychain. Then use the Copy command (Command-C), select your new keychain at the left, and Command-V to Paste the items into the new keychain.

keychainrep7

Then comes the really tedious bit: you will have to authenticate for each item which is protected in that keychain, to allow it to be pasted into the new keychain. You cannot simply paste your password in using Command-V, but must type it each time.

You then end up with your new keychain with all your old passwords, certificates, and other contents.

If you chose not to use Apple’s shortcut method to create a new default keychain, you must then make your new keychain the default. Control-click on your new keychain at the left of the window to bring up the contextual menu, and in that select the command to Make Keychain [] Default.

When you’re happy with your new keychain, you can if you wish delete the old one by selecting the old keychain and using Control-click to show the contextual menu.

If your keychain problems continue, and you have not yet worked through all the suggestions here, you are unlikely to be able to resolve this issue yourself, and it may well be a fault in macOS rather than your keychain.