But for what it's worth, we've been using our p12 certs for some time now, well
before Snow Leopard's release.
I've only included the version for your reference.
Have you tried to simply re-generate the pem-encoded cert, then the p12 cert
_and_ key bundle again?
openssl pkcs12 -export -clcerts -inkey fubar.key -in fubar.crt -out fubar.p12
-name "Ferdinand Fubar"
You suggest your p12 is viewable (both key+cert) with the following command:
> openssl pkcs12 -in midori.p12 -info
However, I _do not_ see your cert using this command on the test file you
sent... See _only_ the key...
Lou Picciano
----- Original Message -----
From: "Midori Green" <midori.emer...@gmail.com>
To: "Lou Picciano" <loupicci...@comcast.net>
Sent: Friday, November 13, 2009 5:15:41 PM GMT -05:00 US/Canada Eastern
Subject: Re: PKCS12 import error into MacOSX keychain access
> Doing some testing... In attempting to import the midori-test.p12 file
> you've provided, we are seeing a message: 'The contents of this item cannot
> be retrieved' consistent with an unreadable cert.
> We do not ever see the: CSSMERR_CL_UNKNOWN_FORMAT message you report.
> This is using Apple Keychain Version 4.1 (37196)
Unfortunately I am running Leopard 10.5.8 with the latest updates,
which only has Keychain Access version 4.0.2 (35210). I will pick
up a copy of Snow Leopard 10.6.* this weekend and do a full backup
and upgrade next week. Snow Leopard should have same version
of Keychain Access you are running.
> How does your p12 file perform in the 'verify' command?
I am running OpenSSL version 0.9.7i, which does not appear to
have a "verify" option for "openssl pkcs12". However, I can get a
successful verification on the separate X509v3 cert when I do:
# openssl verify -CAfile ca.cert midori.cert
midori.cert: OK
