keychain access certificate import problem -- can't send secure email

OK, i figured this out myself (with significant help from on-line sources and my buddy glen), so i wanted to post for others to not have to go through what i went through. here you go: the cert from verisign is a .p7c file, which, when imported into keychain access, is not recognized as your own cert. apparently, it must be a .p12. how do you transform your cert from .p7c to .p12? easiest way (actually, the only way i found) is to export it from firefox (when you double click on the .p7c it automagically imports into all browsers as well as keychain access). so, in firefox, go to preferences > advanced > encryption > view certificates. you should see the cert from verisign. then click on it and click the backup button, which will create a .p12 cert. then delete the cert from verisign from keychain access that is in "certificates," and import the new cert (either drag it to the keychain app icon or use import). you should then see a cert in "my certificates" from verisign. quit apple mail and restart it, and you should see the sign and encrypt icons in the compose mail window, and it will properly digitally sign and encrypt emails. i was able to do both successfully after this operation. good luck!

a bit more info that i found: it seems that the .p7c file from verisign has the digital cert, but no keys. when importing into keychain access, without keys it treats it like any other cert. but when it imports into firefox, it creates a key pair (public and private), which it can export with the cert as a .p12 file. when keychain access sees a cert with both keys (vice only the public key), it properly interprets it as your cert, since only your cert would have a private key.

so the real problem is not that verisign sold me the wrong key, but that upon download the key pair is generated by firefox (not the mac operating system) and is thus not available to other apps, like keychain access. this is a firefox weirdness...they should use the OS API to request key pair generation, but that would require calls to various versions of the OS. its easier, apparently, to just generate the keys, which works for firefox but not for other apps on the same machine. so i think mozilla foundation is to blame for this problem. [if i have this wrong, hopefully someone from mozilla will correct me.]