I love OS X and every iteration has gotten better and better. But every once in a while tasks that should be simple–aren’t. Take the case of trying to add a S/MIME certificate to the Keychain.
In the past, simply double-clicking on the .p12 file would prompt for the passphrase and import it into the login chain. After getting my certificate issued by StartSSL and stored in Firefox, I exported the certificate and private key, set a passphrase, double-clicked, and….
An error has occurred. Unable to import an item. The contents of this item cannot be retrieved. You failed to provide the necessary administrator authorization. (Added so the search engines will pick this up)
And so the battle commenced. There really isn’t a lot out there discussing when Keychain Access fails. The closest similar discussion was by Midori Green (email thread here). The error was different, but it was the same attempt to import a PKCS12 file.
I tried using openssl to rearrange the certificates in the file (after exporting into PEM format), tried adding/removing/changing the private key passphrase, import/export from a Windows machine in .PFX format, and even trying to recreate the PKCS12 file from its’ constituent parts.
Luckily, I ran across this post on krypted.com that mentioned the CLI command security. After placing the exported .p12 file (from Firefox) in a directory and launching terminal, I was able to use the command:
linus:gadams$ security import startssl-smime-cert.p12 -f pkcs12 ~/Library/Keychains/login.keychain 1 identity imported. 2 certificates imported.
And bam!, the certificate loaded. Composing a new message in Mail.app showed the signing and encryption boxes. Although I still get invalid signatures when sending rich text format messages, plain text are properly getting signed.
I am curious exactly what command is executed when you double-click on a certificate file. I assume the Keychain access application makes underly calls to security, but I’d like to be able to trace the steps it takes.
Side note, I’m going to do an opinion piece of certificate authorities in general and digital certificates, SSL, S/MIME, and all that rot. There are some great options for small companies and individuals to get certificates at a cheap or free price. No Verisign or GTE Cybertrust (err Verizon Business) $$$$$ prices need apply!
Hi, I’m using 10.6.2 and never had this problem. Took me many months to work out that the way to export from Firefox was NOT to chose export but rather select ‘backup all’. The rest was a breeze (if you remember to restart mail). Thanks for the inspiration though. Look forward to the “opinion piece of certificate authorities in general and digital certificates, SSL, S/MIME, and all that rot”
Thanks for the comment Alan. I never tried the “backup all” option in Firefox. Heck, never would have thunk of it. I wonder what the difference in the saved certificate is compared to export.
Having done some work for a bank recently, the whole EV certificate issue has focused my attention on the whole “assurance industry.”
Thanks for the hint, I was going crazy about this problem… I have tried the import as you suggested, but it failed, only certificates but no identities were imported. In order to make it work I had to change the command line to:
security import startssl-smime-cert.p12 -k ~/Library/Keychains/login.keychain -f pkcs12
and it worked.
Wow. You saved the day. That command worked like a charm. Thanks a lot!
Any info on why this error occurs, How can be prevented….. >>> ?????