Best result so far is with
certtool i fullchain.pem k=/Library/Keychains/System.keychain v x=S
The certificate is added to Keychain Access, with green check-mark. So: looking good!
But it does not show up in the Server app. In the example with the manual Keychain Access import it does show up in the Server app.
Same result with (tried both with and without -w):
security import fullchain.pem -k /Library/Keychains/System.keychain
Makes sense I guess, there was no private key linked to the certificate.
In Keychain Access, for a correctly installed certificate I could click the small triangle and see the associated private key.
For my newly imported certificate there was no triangle.
I tried adding the private key (using relative or absolute path/file):
certtool i fullchain.pem k=/Library/Keychains/System.keychain v x=S r=privkey.pem
I then get:
***Error finding size of key : CSSM_QueryKeySizeInBits: CSSMERR_CSP_INVALID_KEY
***Error importing private key. Aborting : importPrivateKey: CSSMERR_CSP_INVALID_KEY
certtool i again I (had to) remove the Let’s Encrypt certificate:
security delete-certificate -c "<mydomain>"