Re: PKCS12 import error into MacOSX keychain access

Thu, 12 Nov 2009 21:32:39 -0800 

Deae Lou and Dr. Henson:

Thank you again for e-mailing me with your assistance and suggestions,
it is greatly appreciated.

I have tried both your suggestions, and specifically used the following
commands:

    openssl pkcs12 -export -clcerts -inkey midori.key -in midori.cert \
            -nomaciter -descert -name "Midori Green" -out midori1.p12

    openssl pkcs12 -export -inkey midori.key -in midori.cert \
            -nomaciter -descert -name "Midori Green" -out midori2.p12

    openssl pkcs12 -export -clcerts -inkey midori.key -in midori.cert \
            -name "Midori Green" -out midori3.p12

    openssl pkcs12 -export -inkey midori.key -in midori.cert \
            -name "Midori Green" -out midori4.p12

But when I try to import: midori1.p12, midori2.p12, midori3.p12, &
midori4.p12, I always still get that error:

    CSSMERR_CL_UNKNOWN_FORMAT

Note that I always import/export all PKCS12 and RSA private keys
with a decent and not-null password.

Lou: it is especially good to hear from another Apple Mac user.
Unfortunately I have to use an existing RSA private key, since that
existing key and certificate key pair is currently also being used
within other applications.  So I am prohibited from switching my
existing personal RSA key to a new one generated within the
Keychain Access application.

Dr. Henson: I was able to create a test RSA private key in Apple's
Keychain Access, but I have not been able to create a corresponding
certificate for it yet.  However, I was able to export that RSA private
key only (no cert) as PKCS12, which I have attached to this e-mail.
("midori" is the PKCS12 password.)  I can open this PKCS12 file with
OpenSSL and have successfully extracted the password and RSA
private key.  :-)  I have also been able to re-import that PKCS12 file
back into the KeyChain Access application.

I would appreciate it, if Dr. Henson, you could examine the attached
file, and see if it possible to determine if OpenSSL can do the reverse.
(Take a existing RSA private key and create a PKCS12 file for it
without an certificate, and import that into KeyChain Access so that
it imports the RSA private key.

Perhaps once the existing RSA private key is successfully imported,
I can then import the certificate in a separate PKCS12 file as Lou
described.

Thanks.

Attachment: midori-test.p12
Description: Binary data

Reply via email to