At first I like to thank you for being aware that certificates should be checked. Unfortunatly most people just live with the the insecure defaults and are happy that no errors get thrown.
But to your question: OpenSSL does not use the keychain on OS X (see also http://landonf.bikemonkey.org/code/macosx/certsync.20130514.html). An all platforms openssl determines the default locations the same way (see crypto/cryptlib.h in openssl source):
- the default directory containing certificates as fingerprints (e.g. ff588423.0 etc) is either the value of the environment variable SSL_CERT_DIR or OPENSSLDIR/certs/, where OPENSSLDIR is configured at compile time. You get the value of OPENSSLDIR from either calling the command
openssl version -d
, or by calling the functionSSLeay_version(5)
which should be available within PHP too. - similar the default file containing the CAs is either specified by environment variable SSL_CERT_FILE or OPENSSLDIR/cert.pem
- both locations (dir and file) can be used in parallel
These settings usually work on Linux and *BSD systems because they have their certificates installed in the expected location, but fail on Windows and OSX, which have their own certificate management incompatible to openssl. So in this platforms you either need to find a way to convert the builtin CAs or just use the CA bundle from Mozilla, converted to PEM. You can find this at http://curl.haxx.se/ca/cacert.pem
EDIT: I've just read, that the native openssl on OS X was patched by apple to add support for TEA (e.g. integrate into keychain). Although the way it was added is buggy, see https://hynek.me/articles/apple-openssl-verification-surprises/ for details.