[MlMt] Help creating a self-signed cert for S/MIME

[Pete Resnick]

On 18 Oct 2019, at 2:13, Bill Cole wrote:

> On 17 Oct 2019, at 17:45, Pete Resnick wrote:
>
>> Using MM 1.13 on Mojave. I tried creating a self-signed root S/MIME 
>> certificate in the Keychain, but when i try to use it, all I get it:
>>
>> 	The specified item could not be found in the keychain. (error code 
>> -25300)
>
> Generic "item not found" error (errSecItemNotFound.)
>
> You can get this when a cert (or any keychain item) doesn't have 
> exactly the right name )or other attribute used for matching the item 
> to a request,) lacks a needed attribute (like a "trusted" flag,) or is 
> not in the default keychain. Historically it also could happen with 
> access control issues, but I think Apple fixed that.
>
>> Obviously I'm missing something. Anyone have a recipe?
>
> In Keychain Access, use the Certificate Assistant to create a new 
> cert. In the firsdt screen of gthe creation wizard, give it a 
> reasonable display name, select "Self Signed Root" and "S/MIME 
> (Email)" from the menus. Check the "Let me override defaults" box and 
> hit Continue. In the first screen, enter the exact email address you 
> want the cert to work for, without angle brackets. Click through all 
> the other screens without changes unless there's something you KNOW 
> you want to change, such as key type and size, until you get to the 
> "Subject Alternative Name" extension screen. Make sure your address is 
> there, in the "RFC 822 Name" field. Click through until done, saving 
> the cert in your default keychain, usually named "login". Open the 
> cert in Keychain Access, expand the Trust section, and select "Always 
> Trust" in the menu next to "When using this certificate:" which will 
> apply to all of the specific uses listed beneath. You can *probably* 
> get away with "Use Custom Settings" and only switching S/MIME to 
> "Always Trust" but I have not tried that.
>
> The first time you try to use the cert in MM, you will get a keychain 
> access authentication dialog. If you click "Always Allow after 
> entering your password, you won't be prompted that way aghain, it will 
> Just Work in MM.
>
>> Or some ideas about what I can check for what went wrong?
>
> Make sure the cert and its private key are in the default keychain, 
> are trusted, and have the right email address in both the Subject Name 
> section and the Subject Alternative Name extension.
>
> This message is signed with a cert I created as described above. I 
> expanded the allowed uses and used a ECC key, but those don't affect 
> how MM works with it.

No joy in Mudville. I followed the recipe to the letter, and I get the 
same message. :-( Any other thoughts?

> Thank you for all the work you've done to make Internet email viable 
> and robust.

I'm not sure I want to take credit for the current state of Internet 
e-mail! :-D

> And also for the bajillion occurrences of "x-stuff-for-pete" in my 
> mail archives. :)

That was Steve's sense of humor. Some of the more "colorful" uses of my 
name appeared in the source code comments.

pr
-- 
Pete Resnick http://www.episteme.net/
All connections to the world are tenuous at best