Hmmm...
Doing some testing... In attempting to import the midori-test.p12 file you've
provided, we are seeing a message: 'The contents of this item cannot be
retrieved' consistent with an unreadable cert.
We do not ever see the: CSSMERR_CL_UNKNOWN_FORMAT message you report.
This is using Apple Keychain Version 4.1 (37196)
But this may be useful in your diagnosis: We HAVE gotten various non sequitur
errors when the cert has been signed in a way which (apparently) exposes an
OpenSSL bug. IE, in one case, a cert was generated without error with a
notAfter date, but was trapped as 'invalid format' - with no other explanation
- by OpenSSL at runtime. In our case, this was with an x509 cert against a
PostgreSQL database. It might be worth stepping back and regenerating your pem
cert with different 'variables'.
Also, we generate p12s as _combined_ key/cert files; the result of the:
openssl pkcs12 -in <cert> -info command
against one of our p12 certs immediately spits out the cert.
against midori.p12, prompts for passphrase, then reports only the the key
(makes sense, as you are apparently trying to isolate the key)
But why? Is it possible the Mac Keychain _requires_ a concatenated key/cert
file? Dunno - I've never tested this. It might be worth noting that the Mac
Keychain will not prompt you with a p12 option for exporting a key only. For
that matter, I've always understood .p12 to be a combined cert/key format, not
key only...
How does your p12 file perform in the 'verify' command?
Please note that our key(s) is/are generated on UNIX, and are copied directly
over to Mac(s) via various filesharing mechanisms or SCP.
Lou Picciano
----- Original Message -----
From: "Midori Green" <midori.emer...@gmail.com>
To: openssl-users@openssl.org
Sent: Friday, November 13, 2009 12:31:48 AM GMT -05:00 US/Canada Eastern
Subject: Re: PKCS12 import error into MacOSX keychain access
Deae Lou and Dr. Henson:
Thank you again for e-mailing me with your assistance and suggestions,
it is greatly appreciated.
I have tried both your suggestions, and specifically used the following
commands:
openssl pkcs12 -export -clcerts -inkey midori.key -in midori.cert \
-nomaciter -descert -name "Midori Green" -out midori1.p12
openssl pkcs12 -export -inkey midori.key -in midori.cert \
-nomaciter -descert -name "Midori Green" -out midori2.p12
openssl pkcs12 -export -clcerts -inkey midori.key -in midori.cert \
-name "Midori Green" -out midori3.p12
openssl pkcs12 -export -inkey midori.key -in midori.cert \
-name "Midori Green" -out midori4.p12
But when I try to import: midori1.p12, midori2.p12, midori3.p12, &
midori4.p12, I always still get that error:
CSSMERR_CL_UNKNOWN_FORMAT
Note that I always import/export all PKCS12 and RSA private keys
with a decent and not-null password.
Lou: it is especially good to hear from another Apple Mac user.
Unfortunately I have to use an existing RSA private key, since that
existing key and certificate key pair is currently also being used
within other applications. So I am prohibited from switching my
existing personal RSA key to a new one generated within the
Keychain Access application.
Dr. Henson: I was able to create a test RSA private key in Apple's
Keychain Access, but I have not been able to create a corresponding
certificate for it yet. However, I was able to export that RSA private
key only (no cert) as PKCS12, which I have attached to this e-mail.
("midori" is the PKCS12 password.) I can open this PKCS12 file with
OpenSSL and have successfully extracted the password and RSA
private key. :-) I have also been able to re-import that PKCS12 file
back into the KeyChain Access application.
I would appreciate it, if Dr. Henson, you could examine the attached
file, and see if it possible to determine if OpenSSL can do the reverse.
(Take a existing RSA private key and create a PKCS12 file for it
without an certificate, and import that into KeyChain Access so that
it imports the RSA private key.
Perhaps once the existing RSA private key is successfully imported,
I can then import the certificate in a separate PKCS12 file as Lou
described.
Thanks.
