[MlMt] Help creating a self-signed cert for S/MIME

[Bill Cole]

On 17 Oct 2019, at 17:45, Pete Resnick wrote:

> Using MM 1.13 on Mojave. I tried creating a self-signed root S/MIME certificate in the Keychain, but when i try to use it, all I get it:
>
> 	The specified item could not be found in the keychain. (error code -25300)

Generic "item not found" error (errSecItemNotFound.)

You can get this when a cert (or any keychain item) doesn't have exactly the right name )or other attribute used for matching the item to a request,) lacks a needed attribute (like a "trusted" flag,) or is not in the default keychain. Historically it also could happen with access control issues, but I think Apple fixed that.

> Obviously I'm missing something. Anyone have a recipe?

In Keychain Access, use the Certificate Assistant to create a new cert. In the firsdt screen of gthe creation wizard, give it a reasonable display name, select "Self Signed Root" and "S/MIME (Email)" from the menus. Check the "Let me override defaults" box and hit Continue. In the first screen, enter the exact email address you want the cert to work for, without angle brackets. Click through all the other screens without changes unless there's something you KNOW you want to change, such as key type and size, until you get to the "Subject Alternative Name" extension screen. Make sure your address is there, in the "RFC 822 Name" field. Click through until done, saving the cert in your default keychain, usually named "login". Open the cert in Keychain Access, expand the Trust section, and select "Always Trust" in the menu next to "When using this certificate:" which will apply to all of the specific uses listed beneath. You can *probably* get away with "Use Custom Settings" and only switching S/MIME to "Always Trust" but I have not tried that.

The first time you try to use the cert in MM, you will get a keychain access authentication dialog. If you click "Always Allow after entering your password, you won't be prompted that way aghain, it will Just Work in MM.

> Or some ideas about what I can check for what went wrong?

Make sure the cert and its private key are in the default keychain, are trusted, and have the right email address in both the Subject Name section and the Subject Alternative Name extension.

This message is signed with a cert I created as described above. I expanded the allowed uses and used a ECC key, but those don't affect how MM works with it.

> pr

Thank you for all the work you've done to make Internet email viable and robust.

And also for the bajillion occurrences of "x-stuff-for-pete" in my mail archives. :)

-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1131 bytes
Desc: S/MIME digital signature
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20191018/bd499838/attachment.bin>