List CAs on OS X from the command line

This turned out to be more difficult than it should have been. I can easily see the certs in the browser, but I wanted a list on the command line. Here's what it took.

# brew install nss
# /usr/local/Cellar/nss/3.20/bin/certutil -d ~/Library/Application\ Support/Firefox/Profiles/rnwwcxjq.default -L

Easy enough when you see it. Note: that's my profile path, not yours. The thing is, that only shows "Software Security Device" certs, not the "Builtin Object Token" certs. That took:

# mkdir /tmp/nss
# cd /tmp/nss
# /usr/local/Cellar/nss/3.20/bin/certutil -N -d .
# /usr/local/Cellar/nss/3.20/bin/modutil -add roots -libfile /usr/local/Cellar/nss/3.20/lib/libnssckbi.dylib -dbdir .
# /usr/local/Cellar/nss/3.20/bin/certutil -L -d . -h all

Kudos to http://mozilla.6506.n7.nabble.com/How-do-I-get-the-certificates-out-of-the-builtin-object-token-td198543.html