30

I created a couple of self-signed S/MIME certificates (using OSX Keychain & OpenSSL) and then exported these into 3 files:

  • Certificate (.cer)
  • Private Key (.p12)
  • Public Key (.pem)

When attempting to import these back into another Mac, the Certificate and Private Key imported without any issues. But the Public Key can't be imported.

Instead I get the following error message:

An error has occurred. Unable to import an item.

The contents of this time cannot be retrieved

Screenshot of OSX Keychain error when importing Public Key

How can I import the public key? Should it be converted to another format for import?

Community
  • 1
Prembo
  • 401
  • 1
  • 4
  • 6
  • why do you want to import the public key? It is the private key that you need to import. The public key is left on teh server, the private key is exported to the client, and that's it. – MariusMatutiae Jan 21 '14 at 07:21
  • Fair enough - so there no way of importing a public key manually via Keychain (e.g. if someone supplied their public key to you as a file, rather than sending you an email)? – Prembo Jan 21 '14 at 07:37
  • 1
    You can use scp to copy all files from one to the other, during the period in which password connection is allowed. Then when you have all keys in place, you may disable password login. – MariusMatutiae Jan 21 '14 at 08:15

3 Answers3

48

Its a bug in OSX. You can import from the command line as per this answer:

https://stackoverflow.com/a/11979625/59198

The command is:

security import pub_key.pem -k ~/Library/Keychains/login.keychain

You'll then need to rename the key in keychain.app

Community
  • 1
Chris
  • 1,794
  • 3
  • 18
  • 23
  • Where does it import to? I still can't find it in the keychain. – huggie Sep 21 '16 at 03:26
  • @huggie It loads it with a really generic name in the keychain, something like 'public key' possibly, look for something new in there. – Chris Sep 22 '16 at 23:48
  • 1
    Wow.. This saved me. Spent over an hour stuck on that – Cheyne Mar 27 '20 at 12:10
  • Only that you can't rename, at least not in recent versions (I tried on Catalina). And, needless to say, this bug is still there. After six years or so. – Gábor Nov 03 '20 at 21:14
  • Nowadays (6 years later!) I recommend just letting Xcode automatically manage all your signing, it does a better job of it than it used to. – Chris Nov 04 '20 at 22:08
  • 1
    Seriously, what is this? This issue is still present as of Aug 2021. – j3141592653589793238 Aug 30 '21 at 20:15
1

The certificate actually contains a copy of the public key (along with a name, and a signature from the certificate authority saying that name and that public key go together). Normally you don't need to deal with the public key as a separate item if you're using a certificate-based system like SMIME. If you wanted to, you could extract a copy of the public key from the certificate using the openssl x509 command.

(I wonder if Keychain is refusing to import the public key because it thinks it already has a copy, in the certificate? Keychain's error messages are usually pretty vague.)

Wim Lewis
  • 335
  • 1
  • 8
1

A .p12 file can hold your key pair. You'll be prompted for a password if it contains your private key. Keychain will show the private key in a nested way. If imported correctly it should show under 'My Certificates'.

bbaassssiiee
  • 1,393
  • 1
  • 11
  • 17