Under Mac OS X there is a program named “security” which lets you manipulate the keychain. Its error messages are a bit useless though.
If you find yourself trying to validate a certificate and getting Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE as a result, it could be because the certificate has entries in the subjectAltName encoded in something other than ASN.1 IA5String. In particular, PrintableString is accepted by openssl and firefox, but not by OS X.
When seen from Safari, these certificates will bump the browser back to the previous page, and if you look in the debug console will show: The certificate for this server is invalid. You might be connecting to a server that is pretending to be YOURHOSTNAME
There. Hopefully this bit of text and some googling will save someone else an afternoon.