On Thu November 12 2009, Midori Green wrote: > On Thu, Nov 12, 2009 at 7:01 AM, PMHager <h...@prima.de> wrote: > > Just a suggestion which does not consume much time: > > The .P12 (or .PFX) formats from OpenSSL and Windows > > are slightly different. To convert between the two, > > just import the P12 into the MS CertStore "My" and > > locate and export the certificate with its private > > key from that list: > > %SystemRoot%\system32\rundll32.exe /d > > "%SystemRoot%\system32\INETCPL.CPL",LaunchSiteCertDialog > > Might be the MacOS is capable to handle that export. > > Dear PMHager: > > Thank you for your suggestion. Unfortunately, it did not work. > See the details below... > > I tried out your suggestion on a WinXP VM running on my mac. > I was successfully able to import my "midori.p12" PKCS12 file > into the Windows Certificate utility, with both the RSA private > key and X509v3 certificate, into the "Personal" section. Since > I already had my root certificate preloaded into Windows, when > I selected [View] for my imported certificate, its certificate status > verified as OK. > > Then as you suggested, I successfully exported both the certificate > and RSA private key from that Windows certificate utility, into a > PFX file named "midori.pfx". > > When I copied that "midori.pfx" file back to my mac, and attempted > to load it into Apple's "keychain access" utility, I still get the same > error message: CSSMERR_CL_UNKNOWN_FORMAT! > > I am at a loss as to why I am unable to import my *EXISTING* RSA > private key into Apple's certificate utility, when I can import it > safely into Windows certificate utility, OpenSSL, Firefox, etc. This > certificate was issued to me for VPN access, so I have to use it > without any substitutions. >
View the file with a hexeditor, check the line-endings. It may not have MAC eol and your MAC may be expecting that it does. Mike > The only thing I can think of that may be unusual is that the issued > certificate has some proprietary non-critical V3 extensions for VPN. > But these extensions all have valid DER encoding and are listed > properly under a company's ITU registered OID tree. (Note that no > other crypto application that I come across has any problems with > these certificates.) > > I am very at the end of my rope, with getting PKCS12/PFX to import > into my mac. Any advice is greatly appreciate appreciated. > > >> I have been trying unsuccessfully to import a PKCS12 file created by > >> openssl > >> into the "keychain access" application for MacOSX. When I do, I always get > >> the error: CSSMERR_CL_UNKNOWN_FORMAT > >> > >> Please note the following: > >> > >> * 2048 bit rsa private key, PEM encoded and encrypted with 3DES, and > >> viewable with the following command: > >> > >> openssl rsa -inform PEM -in midori.key -text > >> > >> * X509v3 certificate, signed by a private CA, PEM encoded, and viewable > >> with the following command: > >> > >> openssl x509 -inform PEM -in midori.cert -text > >> > >> * PKCS12 file created by the following command: > >> > >> openssl pkcs12 -export -inkey midori.key -in midori.cert \ > >> -out midori.p12 > >> > >> and viewable (dumps RSA key+cert) with the following command: > >> > >> openssl pkcs12 -in midori.p12 -info > > > >> Any suggestions on what I need to do to import my *EXISTING* RSA > >> private key and certificate into Apple's MacOSX "keychain access" > >> application? Thanks. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
