You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: enduro99kb
enduro99kb Author
User level: Level 1
9 points

Problem to import SSL client certificate (PFX file) to the Ventura Mac OS keychain

Hello, I have problem to import SSL certificate (PFX file) to the Mac OS Keychain after upgrade to the Ventura OS version. It is complaining that I'm providing incorrect password. I'm sure I'm providing correct password for the certificate file. I'm able to import the same certificate to the browser on the Linux (Ubuntu machine) that proves the certificate file and used password is correct. Issue is isolated to the Mac OS Ventura update.

I appreciate for help.

Regards,

Piotr


MacBook Pro 14″, macOS 13.1

Posted on Jan 2, 2023 1:25 AM

Reply
Question marked as Top-ranking reply
User profile for user: James Brickley
James Brickley
User level: Level 5
5,068 points

Posted on Jan 4, 2023 6:40 AM

Additional Info:


Apple uses LibreSSL3.3.6 in /usr/bin/openssl


Lengthy Wikipedia article about LibreSSL verses OpenSSL:

https://en.wikipedia.org/wiki/LibreSSL


Summary, serious security issues since the heartbleed exploit were raised and some in the SSL community decided to fork OpenSSL and re-write most of it. They reduced the code base considerably and increased security considerably. I believe that OpenSSL has made great strides since then. But BSD UNIX and Apple are on LibreSSL as well as a few select Linux distributions. Google seems that have done their own thing. While forking an open source project can be beneficial, it would be in everyones best interests if these events did not occur. Forks have happened in the past with other open source projects when disagreements arise and there is no compromise. No doubt there will be additional 'Gotchas' in future.


This particular issue relates to a design decision in OpenSSL to change the default cryto settings when creating /exporting PK12 public / private key certificates. Here's the source change from their GitHub repo:


Breaking change of OpenSSL 3.x with LibreSSL 3.x

https://github.com/openssl/openssl/commit/762970bd686c4aa8ea7169e7f76d5a4ce665da93


OpenSSL added the -legacy flag to offer backwards compatibility with systems such as Apple, BSD, etc. using LibreSSL or an older OpenSSL.


The Apple Keychain uses LibreSSL and it cannot read the certificate even with the correct password due to the default crypto method employed by OpenSSL. The -legacy flag creates the PK12 certificate using the previous crypto methods and thus creates a PK12 certificate that is readable with LibreSSL and thus the Apple Keychain.


Yes, this is very unpleasant to discover. In a perfect world this shouldn't have happened. But there are two distinct open source projects for SSL developers who disagree. I just wish problems like this were easier to find online. There's a metric ton of bad information on TLS/SSL in general as it is a complex topic that keeps evolving.


There is an excellent book, "Bulletproof SSL and TLS" by Ivan Ristić

  • Publisher ‏ : ‎ Feisty Duck (August 1, 2014)
  • ISBN-10 ‏ : ‎ 1907117040
  • ISBN-13 ‏ : ‎ 978-1907117046
  • Updated with TLS 1.3 recently



View in context

Similar questions

5 replies
Question marked as Top-ranking reply
User profile for user: James Brickley
James Brickley
User level: Level 5
5,068 points

Jan 4, 2023 6:40 AM in response to James Brickley

Additional Info:


Apple uses LibreSSL3.3.6 in /usr/bin/openssl


Lengthy Wikipedia article about LibreSSL verses OpenSSL:

https://en.wikipedia.org/wiki/LibreSSL


Summary, serious security issues since the heartbleed exploit were raised and some in the SSL community decided to fork OpenSSL and re-write most of it. They reduced the code base considerably and increased security considerably. I believe that OpenSSL has made great strides since then. But BSD UNIX and Apple are on LibreSSL as well as a few select Linux distributions. Google seems that have done their own thing. While forking an open source project can be beneficial, it would be in everyones best interests if these events did not occur. Forks have happened in the past with other open source projects when disagreements arise and there is no compromise. No doubt there will be additional 'Gotchas' in future.


This particular issue relates to a design decision in OpenSSL to change the default cryto settings when creating /exporting PK12 public / private key certificates. Here's the source change from their GitHub repo:


Breaking change of OpenSSL 3.x with LibreSSL 3.x

https://github.com/openssl/openssl/commit/762970bd686c4aa8ea7169e7f76d5a4ce665da93


OpenSSL added the -legacy flag to offer backwards compatibility with systems such as Apple, BSD, etc. using LibreSSL or an older OpenSSL.


The Apple Keychain uses LibreSSL and it cannot read the certificate even with the correct password due to the default crypto method employed by OpenSSL. The -legacy flag creates the PK12 certificate using the previous crypto methods and thus creates a PK12 certificate that is readable with LibreSSL and thus the Apple Keychain.


Yes, this is very unpleasant to discover. In a perfect world this shouldn't have happened. But there are two distinct open source projects for SSL developers who disagree. I just wish problems like this were easier to find online. There's a metric ton of bad information on TLS/SSL in general as it is a complex topic that keeps evolving.


There is an excellent book, "Bulletproof SSL and TLS" by Ivan Ristić

  • Publisher ‏ : ‎ Feisty Duck (August 1, 2014)
  • ISBN-10 ‏ : ‎ 1907117040
  • ISBN-13 ‏ : ‎ 978-1907117046
  • Updated with TLS 1.3 recently



Reply
User profile for user: James Brickley
James Brickley
User level: Level 5
5,068 points

Jan 3, 2023 7:02 AM in response to enduro99kb

OpenSSL 3.x changed the default algorithm and it's not compatible with macOS SSL libraries which are no longer staying current with OpenSSL due to breaking changes such as this.


Fortunately, OpenSSL added a -legacy flag to revert to the previous algorithm. Add the -legacy flag after your -export flag parameter in your openssl command string.


The alternative is to downgrade openssl to 1.x

Reply
User profile for user: enduro99kb
enduro99kb Author
User level: Level 1
9 points

Jan 2, 2023 11:49 PM in response to James Brickley

Hello James,

thank you for your answer. I do have local admin. Attempt to import via terminal is ending with the same error:


% security import client_cert_name.pfx  -k ~/Library/Keychains/login.keychain -P password
security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)


I'm sure the password is correct as I'm providing it during certificate export.


Certificate export is using the following command:


% openssl pkcs12 -inkey client_cert_name.key -in piotr_michalski_cert.crt -export -out client_cert_name.pf
x
Enter Export Password:
Verifying - Enter Export Password:



Regards,

Piotr

Reply

Problem to import SSL client certificate (PFX file) to the Ventura Mac OS keychain

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up