Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Tom Cramer
Tom Cramer Author
User level: Level 1
11 points

Error -2147415740 from Keychain when importing a root CA certificate

I've been given an iMac at work to use as my primary workstation, and work in an environment that uses certificate based authentication. I was provided the root CA certificate as a .pem file to import into my system, and every time I try, Keychain Access throws an error of "-2147415740".

Running "openssl x509 -inform pem -in cacert.pem -text" shows the certificate as valid, and specifically:

Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (8192 bit)
Modulus (8192 bit):

I've seen a few other reports of this, and it seems to be tied to the certificate being signed with an 8192 bit key. Asking the company to change to a lower key to sign the certificate is not a possibility, as it would require redistribution across a high number of machines to work around what appears to be an OS X specific bug. Does anyone know a workaround?

Out of curiosity, I took the certificate and imported it successfully into an iBook running OS X 10.4.0. The certificate continues to work all the way up to 10.4.8, but breaks once Security Update 2006-007 or 10.4.9 is applied. The certificate is also imported just fine on an iPad running iOS 4.2.1.

For now, I have to avoid using any Apple provided tools, and many 3rd party OS X programs, negating the benefit of using OS X and an iMac.

iMac 27 inch, Mac OS X (10.6.5)

Posted on Dec 1, 2010 10:45 AM

Reply
8 replies
User profile for user: baltwo
baltwo
User level: Level 9
62,362 points

Dec 1, 2010 3:19 PM in response to Tom Cramer

I pointed you to possible solutions, never saying I had any. I can't help with your company's policies. If you want to take it up with Apple.

If you want to report this issue to Apple's engineering, send a bug report or an enhancement request via its Bug Reporter system. To do this, join the Mac Developer Program—it's free and available for all Mac users and gets you a look at some development software. Since you already have an Apple username/ID, use that. Once a member, go to Apple BugReporter and file your bug report or enhancement request. The nice thing with this procedure is that you get a response and a follow-up number; thus, starting a dialog with engineering.
Reply
User profile for user: Tom Cramer
Tom Cramer Author
User level: Level 1
11 points

Dec 1, 2010 2:24 PM in response to baltwo

Nothing in the help file seems to address this very specific error I am encountering, nor does help explain what changed in Security Update 2006-007 to cause a certificate to be accepted prior to that update, but an error to be thrown after it is installed. And I couldn't find any information in help on a way to work around the problem. So this isn't a case where RTFM solves it unfortunately.
Reply
User profile for user: Tom Cramer
Tom Cramer Author
User level: Level 1
11 points

Dec 1, 2010 2:50 PM in response to baltwo

sigh

Result 1, this thread

Result 2, another person encountering the same problem and posted here on the discussion forums, unanswered, beyond me responding to see if it is the exact same situation I'm now running into.

Result 3, a posting to the OpenCA users list, also confirming the problem, with no specific solution to the error. Only a workaround of resigning the CA with a 4096bit or lower key, a workaround that as I mentioned already, cannot be done here without forcing every other user in the company to do work for what appears to only be an OS X specific problem/bug.

Please only respond again if you have an actual useful suggestion for this exact problem. These boards are to help facilitate discussion about problems leading to a solution. Neither of your generic responses has helped, and I'd appreciate it if you could avoid wasting more of my time following up on a new post notification.
Reply
User profile for user: Tom Cramer
Tom Cramer Author
User level: Level 1
11 points

Dec 3, 2010 3:57 PM in response to Tom Cramer

As an update, I did file a bug report prior to the suggestion here. It has now been closed as a duplicate of another, with no ETA on a fix.

However, my theory is that the error is coming from the part of OS X that is open source, so I am currently digging into the differences between 10.4.8 and 10.4.9 to identify what changed, and will attempt to modify the current 10.6.5 code to allow import/use of 8192 bit signed certificates. If I'm successful, I'll update this thread here with a solution other coders can use to fix the issue, since this thread is likely to show up near the top of Google search results now.
Reply
User profile for user: Tom Cramer
Tom Cramer Author
User level: Level 1
11 points

Dec 3, 2010 5:55 PM in response to Tom Cramer

Even better, no code needs to change.

defaults write /Library/Preferences/com.apple.crypto RSAMaxKeySize -int <size>

With that in place, a user can override the default key size of 4096 to whatever value they need. I discovered that preference when I dug into the code, and found a reference to it in this header:

http://www.opensource.apple.com/source/libsecurityapple_csp/libsecurity_apple_csp-36859/lib/RSA_DSAkeys.h

My companies root CA is now imported. Going to go comment on the open bug, since it's not a bug. An undocumented (except in source) preference will allow people to fix this on their own.
Reply

Error -2147415740 from Keychain when importing a root CA certificate

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up