Add to "My certificates" in Keychain Access? (Mac OS 10.10)

macos certificate keychain keychain-access
50,078

Short version:
You can't use it as your certificate unless you have the private key that forms a matched set with the public key that's in the certificate. Go find where you left your private key and import that into the keychain, and Keychain Access will automatically see that it matches with the public key in that certificate and start showing that certificate in the "My Certificates" list.

Long version:
Certificates are public documents that you can freely distribute. They are just a way to securely link your identity (i.e. identifying information like your full name, username, email address, etc.) to your public key.

Since certificates are publicly distributable, simply having a copy of a certificate is not proof you are the person named in the certificate, or that the public key in the certificate is truly your public key.

To be able to prove that a certificate is yours, you must have the private key that forms a matched set with the public key contained in the certificate.

If you just have a .p7b or .cer or .pem file, it most likely just contains a certificate, but not the private key that goes with it.

Private keys must be kept completely secure and private and never given to anyone else. When stored on disk, they should be stored in an encrypted file that you need a passphrase to decrypt. The typical way to securely store a certificate along with the matching private key in an encrypted, password-protected file, is a .p12 (PKCS#12) file. See if you already have a .p12 file somewhere.

If Keychain Access shows a certificate in your personal keychain, but it doesn't show it in the "My Certificates" list, it means you imported just a certificate but not the private key that goes with it, so OS X can't tell that it's truly "yours".

You need to go find where your private key was stored when you first generated your public/private key pair. Generating a key pair is the first step toward getting a certificate. First a key pair is generated, then the public key, along with your identity information, is put into a Certificate Signing Request (a.k.a. CSR, req), and sent off to a Certificate Authority (CA) to be signed. The CA is supposed to verify your identity information and your public key, and then if it all checks out, they sign the CSR, creating a certificate. The signed certificate is sent back to you, and you have to match it back up with the private key you'd generated in the first step, in order to truly use it.

Note that the role of CA is nothing terribly special. It doesn't have to be some corporation like Verisign. Every personal computer OS contains all the software necessary to act as a CA. Keychain Access's Certificate Assistant feature will even walk you through setting up your CA setup for your own private use.

If you don't remember generating a key pair, you were probably using some software that did it automatically for you. For example, there's a special HTML tag that CA websites can use on their CSR web forms that tells your web browser to automatically generate a key pair and submit just the public key along with the web form. When you use Safari on such a form, the private key is stored in the user keychain for the OS X user account you're logged into. When you use IE in Windows on such a form, the private key is stored in the Windows equivalent of that (Microsoft calls this the user's "Certificate Store"; "store" as in "storage container" not "retail shop" :-).

I can't tell you where your private key is because I don't know what software you used to create it, and even if I knew that, I wouldn't know for sure where you told that software to save your private key. You'll probably have to sleuth that out yourself.

If you can't find your private key, you may need to consider it compromised and revoke your certificate (you may need to contact your CA to do that) and start over by generating a new key pair, creating a new CSR, having a CA sign it and issue a certificate, match it up with the new private key, etc. This is kind of like realizing that you're missing a copy of your house key, and choosing to have a locksmith rekey all your door locks just to be safe.

tl;dr: Go find your private key and import it into the keychain.

Share:
50,078

Related videos on Youtube

dani
Author by

dani

Updated on September 18, 2022

Comments

  • dani
    dani over 1 year

    I have a certificate file like this:

    -----BEGIN CERTIFICATE-----
MIIHCDCCBPC ....

    I can get it to show up under "Certificates" by going to "File->import items" (it is the "Elin" one).

    enter image description here

    I can however not add it to "My certificates" which I think is necessary to have it show up when connecting to certain websites:

    enter image description here

    How do I get it over there? (Do I need to turn it into .p12 for example and in that case how?)

    • Lelantos
      Lelantos almost 9 years
      see if this is of nay use to you :digicert.com/ssl-support/… also shows to to export cert at .p12. If that does what you want let me know and I will put it as an answer :)
  • Gordon Davisson
    Gordon Davisson almost 9 years
    Excellent answer; but I'll add two notes: First, for historical reasons the extension ".pfx" is sometimes used for PKCS #12 files (see Wikipedia). Second, in the screenshots there's a disclosure triangle next to the "com.apple.idmsa..." certificate; clicking that would reveal the corresponding private key that makes it show up in "My Certificates" and allows it to be used for authentication.
  • Pier
    Pier over 7 years
    How can I move the key file (that appears after clicking the triangle) from Keychain in one computer to a new computer?
  • Spiff
    Spiff over 7 years
    @Pier Welcome to SuperUser. Please ask your question by posting it as your own Question post, rather than asking in a comment.
  • Whimusical
    Whimusical almost 4 years
    +10000000000000000, one of most useful answers on StackExchange

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apple keychain private/public key issue
HTTPS certificates invalid on Safari, Chrome on specific user account
Keychain First Aid locks the keychain and can't unlock it to perform first aid
OSX wants to make changes. Type an administrator's name and password... Won't go away
Keychain password for macOS Flutter app on VM
How to stop "keychain access" permission dialog on MacOS when debugging Flutter app on Visual Studio Code?
Update GitHub authentication to use token on macOS (rather than password)?
How to delete a keychain reference from command line
You already have a current iOS Development certificate or a pending certificate request
How to export certificate from Mac OS X to get pair of .cert and .key files ?