On Thu, Nov 12, 2009 at 7:01 AM, PMHager <h...@prima.de> wrote: > Just a suggestion which does not consume much time: > The .P12 (or .PFX) formats from OpenSSL and Windows > are slightly different. To convert between the two, > just import the P12 into the MS CertStore "My" and > locate and export the certificate with its private > key from that list: > %SystemRoot%\system32\rundll32.exe /d > "%SystemRoot%\system32\INETCPL.CPL",LaunchSiteCertDialog > Might be the MacOS is capable to handle that export.
Dear PMHager: Thank you for your suggestion. Unfortunately, it did not work. See the details below... I tried out your suggestion on a WinXP VM running on my mac. I was successfully able to import my "midori.p12" PKCS12 file into the Windows Certificate utility, with both the RSA private key and X509v3 certificate, into the "Personal" section. Since I already had my root certificate preloaded into Windows, when I selected [View] for my imported certificate, its certificate status verified as OK. Then as you suggested, I successfully exported both the certificate and RSA private key from that Windows certificate utility, into a PFX file named "midori.pfx". When I copied that "midori.pfx" file back to my mac, and attempted to load it into Apple's "keychain access" utility, I still get the same error message: CSSMERR_CL_UNKNOWN_FORMAT! I am at a loss as to why I am unable to import my *EXISTING* RSA private key into Apple's certificate utility, when I can import it safely into Windows certificate utility, OpenSSL, Firefox, etc. This certificate was issued to me for VPN access, so I have to use it without any substitutions. The only thing I can think of that may be unusual is that the issued certificate has some proprietary non-critical V3 extensions for VPN. But these extensions all have valid DER encoding and are listed properly under a company's ITU registered OID tree. (Note that no other crypto application that I come across has any problems with these certificates.) I am very at the end of my rope, with getting PKCS12/PFX to import into my mac. Any advice is greatly appreciate appreciated. >> I have been trying unsuccessfully to import a PKCS12 file created by openssl >> into the "keychain access" application for MacOSX. When I do, I always get >> the error: CSSMERR_CL_UNKNOWN_FORMAT >> >> Please note the following: >> >> * 2048 bit rsa private key, PEM encoded and encrypted with 3DES, and >> viewable with the following command: >> >> openssl rsa -inform PEM -in midori.key -text >> >> * X509v3 certificate, signed by a private CA, PEM encoded, and viewable >> with the following command: >> >> openssl x509 -inform PEM -in midori.cert -text >> >> * PKCS12 file created by the following command: >> >> openssl pkcs12 -export -inkey midori.key -in midori.cert \ >> -out midori.p12 >> >> and viewable (dumps RSA key+cert) with the following command: >> >> openssl pkcs12 -in midori.p12 -info > >> Any suggestions on what I need to do to import my *EXISTING* RSA >> private key and certificate into Apple's MacOSX "keychain access" >> application? Thanks. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
