[MlMt] Help creating a self-signed cert for S/MIME

[Pete Resnick]

Still looking for help on this one. No luck so far.

pr

On 18 Oct 2019, at 4:47, Pete Resnick wrote:

> On 18 Oct 2019, at 2:13, Bill Cole wrote:
>
>> On 17 Oct 2019, at 17:45, Pete Resnick wrote:
>>
>>> Using MM 1.13 on Mojave. I tried creating a self-signed root S/MIME 
>>> certificate in the Keychain, but when i try to use it, all I get it:
>>>
>>> 	The specified item could not be found in the keychain. (error code 
>>> -25300)
>>
>> Generic "item not found" error (errSecItemNotFound.)
>>
>> You can get this when a cert (or any keychain item) doesn't have 
>> exactly the right name )or other attribute used for matching the item 
>> to a request,) lacks a needed attribute (like a "trusted" flag,) or 
>> is not in the default keychain. Historically it also could happen 
>> with access control issues, but I think Apple fixed that.
>>
>>> Obviously I'm missing something. Anyone have a recipe?
>>
>> In Keychain Access, use the Certificate Assistant to create a new 
>> cert. In the firsdt screen of gthe creation wizard, give it a 
>> reasonable display name, select "Self Signed Root" and "S/MIME 
>> (Email)" from the menus. Check the "Let me override defaults" box and 
>> hit Continue. In the first screen, enter the exact email address you 
>> want the cert to work for, without angle brackets. Click through all 
>> the other screens without changes unless there's something you KNOW 
>> you want to change, such as key type and size, until you get to the 
>> "Subject Alternative Name" extension screen. Make sure your address 
>> is there, in the "RFC 822 Name" field. Click through until done, 
>> saving the cert in your default keychain, usually named "login". Open 
>> the cert in Keychain Access, expand the Trust section, and select 
>> "Always Trust" in the menu next to "When using this certificate:" 
>> which will apply to all of the specific uses listed beneath. You can 
>> *probably* get away with "Use Custom Settings" and only switching 
>> S/MIME to "Always Trust" but I have not tried that.
>>
>> The first time you try to use the cert in MM, you will get a keychain 
>> access authentication dialog. If you click "Always Allow after 
>> entering your password, you won't be prompted that way aghain, it 
>> will Just Work in MM.
>>
>>> Or some ideas about what I can check for what went wrong?
>>
>> Make sure the cert and its private key are in the default keychain, 
>> are trusted, and have the right email address in both the Subject 
>> Name section and the Subject Alternative Name extension.
>>
>> This message is signed with a cert I created as described above. I 
>> expanded the allowed uses and used a ECC key, but those don't affect 
>> how MM works with it.
>
> No joy in Mudville. I followed the recipe to the letter, and I get the 
> same message. :-( Any other thoughts?
>
>> Thank you for all the work you've done to make Internet email viable 
>> and robust.
>
> I'm not sure I want to take credit for the current state of Internet 
> e-mail! :-D
>
>> And also for the bajillion occurrences of "x-stuff-for-pete" in my 
>> mail archives. :)
>
> That was Steve's sense of humor. Some of the more "colorful" uses of 
> my name appeared in the source code comments.
>
> pr


-- 
Pete Resnick http://www.episteme.net/
All connections to the world are tenuous at best