30

I created a couple of self-signed S/MIME certificates (using OSX Keychain & OpenSSL) and then exported these into 3 files:

  • Certificate (.cer)
  • Private Key (.p12)
  • Public Key (.pem)

When attempting to import these back into another Mac, the Certificate and Private Key imported without any issues. But the Public Key can't be imported.

Instead I get the following error message:

An error has occurred. Unable to import an item.

The contents of this time cannot be retrieved

Screenshot of OSX Keychain error when importing Public Key

How can I import the public key? Should it be converted to another format for import?

Improve this question
3
  • why do you want to import the public key? It is the private key that you need to import. The public key is left on teh server, the private key is exported to the client, and that's it.
    – MariusMatutiae
    Commented Jan 21, 2014 at 7:21
  • Fair enough - so there no way of importing a public key manually via Keychain (e.g. if someone supplied their public key to you as a file, rather than sending you an email)?
    – Prembo
    Commented Jan 21, 2014 at 7:37
  • 1
    You can use scp to copy all files from one to the other, during the period in which password connection is allowed. Then when you have all keys in place, you may disable password login.
    – MariusMatutiae
    Commented Jan 21, 2014 at 8:15

3 Answers 3

Reset to default
48

Its a bug in OSX. You can import from the command line as per this answer:

https://stackoverflow.com/a/11979625/59198

The command is:

security import pub_key.pem -k ~/Library/Keychains/login.keychain

You'll then need to rename the key in keychain.app

Improve this answer
6
  • Where does it import to? I still can't find it in the keychain.
    – huggie
    Commented Sep 21, 2016 at 3:26
  • 1
    @huggie It loads it with a really generic name in the keychain, something like 'public key' possibly, look for something new in there.
    – Chris
    Commented Sep 22, 2016 at 23:48
  • 1
    Wow.. This saved me. Spent over an hour stuck on that
    – Cheyne
    Commented Mar 27, 2020 at 12:10
  • Only that you can't rename, at least not in recent versions (I tried on Catalina). And, needless to say, this bug is still there. After six years or so.
    – Gábor
    Commented Nov 3, 2020 at 21:14
  • 1
    Seriously, what is this? This issue is still present as of Aug 2021.
    – j3141592653589793238
    Commented Aug 30, 2021 at 20:15
3

The certificate actually contains a copy of the public key (along with a name, and a signature from the certificate authority saying that name and that public key go together). Normally you don't need to deal with the public key as a separate item if you're using a certificate-based system like SMIME. If you wanted to, you could extract a copy of the public key from the certificate using the openssl x509 command.

(I wonder if Keychain is refusing to import the public key because it thinks it already has a copy, in the certificate? Keychain's error messages are usually pretty vague.)

Improve this answer
1

A .p12 file can hold your key pair. You'll be prompted for a password if it contains your private key. Keychain will show the private key in a nested way. If imported correctly it should show under 'My Certificates'.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .