6 Replies Latest reply: Dec 16, 2009 12:45 PM by hyperslack
Joe Rockmore Level 1 (15 points)
i purchased a digital cert from verisign (what they call a Digital ID Class 1). when i download from their site, keychain access opens up and imports the cert into keychain login, but into certificates (NOT my certificates). since there is no cert in my certificates, apple mail can't use the cert for digital signing and encryption. i tried importing into my certificates, failed. i tried copying and pasting the cert into my certificates, failed. i don't seem to be able to convince keychain access that this cert is mine, and put it into my certificates, so i can use it. it is treating this cert just like any other cert i got from others, and simply putting it in certificates.

macbook pro, Mac OS X (10.6.1)
  • thomas_r. Level 7 (30,645 points)
    If you double-click on the certificate entry in Keychain Access, what is listed as the e-mail address? (Don't actually post it here!) Is it one of the e-mail addresses you have an account for in Mail?
  • Joe Rockmore Level 1 (15 points)
    OK, i figured this out myself (with significant help from on-line sources and my buddy glen), so i wanted to post for others to not have to go through what i went through. here you go: the cert from verisign is a .p7c file, which, when imported into keychain access, is not recognized as your own cert. apparently, it must be a .p12. how do you transform your cert from .p7c to .p12? easiest way (actually, the only way i found) is to export it from firefox (when you double click on the .p7c it automagically imports into all browsers as well as keychain access). so, in firefox, go to preferences > advanced > encryption > view certificates. you should see the cert from verisign. then click on it and click the backup button, which will create a .p12 cert. then delete the cert from verisign from keychain access that is in "certificates," and import the new cert (either drag it to the keychain app icon or use import). you should then see a cert in "my certificates" from verisign. quit apple mail and restart it, and you should see the sign and encrypt icons in the compose mail window, and it will properly digitally sign and encrypt emails. i was able to do both successfully after this operation. good luck!
  • Joe Rockmore Level 1 (15 points)
    a bit more info that i found: it seems that the .p7c file from verisign has the digital cert, but no keys. when importing into keychain access, without keys it treats it like any other cert. but when it imports into firefox, it creates a key pair (public and private), which it can export with the cert as a .p12 file. when keychain access sees a cert with both keys (vice only the public key), it properly interprets it as your cert, since only your cert would have a private key.

    so the real problem is not that verisign sold me the wrong key, but that upon download the key pair is generated by firefox (not the mac operating system) and is thus not available to other apps, like keychain access. this is a firefox weirdness...they should use the OS API to request key pair generation, but that would require calls to various versions of the OS. its easier, apparently, to just generate the keys, which works for firefox but not for other apps on the same machine. so i think mozilla foundation is to blame for this problem. [if i have this wrong, hopefully someone from mozilla will correct me.]
  • Moodad Level 1 (0 points)
    Nicely done. I was having the same problem getting Keychain to recognize the ID I had downloaded by way of Mozilla. Need Keychain to have the ID for Entourage (and presumably other email programs) to recognize it. The backup (not just Export) does the trick.
  • JayLevenson Level 1 (0 points)
    Great advice!! This solved my problem. Thanks.
  • hyperslack Level 1 (0 points)
    Thanks! Solved my problem, too. My cert was from Comodo (User Trust Network) and the steps in this post fixed things using Firefox. They worked as advertised.

    It was interesting that when I tried using Safari instead, it actually downloaded a .p7s file and created a certificate (unlike FF), but also did not create the key. Doing the backup and importing the backup file into keychain assistant did create the key and mail recognized it.

    Definitely was not a "just works" thing more typical of OS X...