[MlMt] Help creating a self-signed cert for S/MIME

Bill Cole mmlist-20120120 at billmail.scconsult.com
Mon Oct 21 15:52:34 EDT 2019


On 21 Oct 2019, at 14:56, Pete Resnick wrote:

> Still looking for help on this one. No luck so far.

I'm all out of ideas because I can't reproduce the failure. That implies either a difference between 1.13 and the 2.0BETA equivalent (r6142) or something as yet unspecified and unknown.

You might get more information by looking at what MM logs. Make the failure occur and then run this in a shell:

log show --debug --info --last 1m --predicate 'processImagePath endswith "MailMate"'

That will show you the full details of what MM logged in the past minute. It may have useful clues, or it may not.


> On 18 Oct 2019, at 4:47, Pete Resnick wrote:
>
>> On 18 Oct 2019, at 2:13, Bill Cole wrote:
>>
>>> On 17 Oct 2019, at 17:45, Pete Resnick wrote:
>>>
>>>> Using MM 1.13 on Mojave. I tried creating a self-signed root S/MIME certificate in the Keychain, but when i try to use it, all I get it:
>>>>
>>>> 	The specified item could not be found in the keychain. (error code -25300)
>>>
>>> Generic "item not found" error (errSecItemNotFound.)
>>>
>>> You can get this when a cert (or any keychain item) doesn't have exactly the right name )or other attribute used for matching the item to a request,) lacks a needed attribute (like a "trusted" flag,) or is not in the default keychain. Historically it also could happen with access control issues, but I think Apple fixed that.
>>>
>>>> Obviously I'm missing something. Anyone have a recipe?
>>>
>>> In Keychain Access, use the Certificate Assistant to create a new cert. In the firsdt screen of gthe creation wizard, give it a reasonable display name, select "Self Signed Root" and "S/MIME (Email)" from the menus. Check the "Let me override defaults" box and hit Continue. In the first screen, enter the exact email address you want the cert to work for, without angle brackets. Click through all the other screens without changes unless there's something you KNOW you want to change, such as key type and size, until you get to the "Subject Alternative Name" extension screen. Make sure your address is there, in the "RFC 822 Name" field. Click through until done, saving the cert in your default keychain, usually named "login". Open the cert in Keychain Access, expand the Trust section, and select "Always Trust" in the menu next to "When using this certificate:" which will apply to all of the specific uses listed beneath. You can *probably* get away with "Use Custom Settings" and only switching S/MIME to "Always Trust" but I have not tried that.
>>>
>>> The first time you try to use the cert in MM, you will get a keychain access authentication dialog. If you click "Always Allow after entering your password, you won't be prompted that way aghain, it will Just Work in MM.
>>>
>>>> Or some ideas about what I can check for what went wrong?
>>>
>>> Make sure the cert and its private key are in the default keychain, are trusted, and have the right email address in both the Subject Name section and the Subject Alternative Name extension.
>>>
>>> This message is signed with a cert I created as described above. I expanded the allowed uses and used a ECC key, but those don't affect how MM works with it.
>>
>> No joy in Mudville. I followed the recipe to the letter, and I get the same message. :-( Any other thoughts?
>>
>>> Thank you for all the work you've done to make Internet email viable and robust.
>>
>> I'm not sure I want to take credit for the current state of Internet e-mail! :-D
>>
>>> And also for the bajillion occurrences of "x-stuff-for-pete" in my mail archives. :)
>>
>> That was Steve's sense of humor. Some of the more "colorful" uses of my name appeared in the source code comments.
>>
>> pr
>
>
> -- 
> Pete Resnick http://www.episteme.net/
> All connections to the world are tenuous at best
> _______________________________________________
> mailmate mailing list
> mailmate at lists.freron.com
> https://lists.freron.com/listinfo/mailmate


-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1172 bytes
Desc: S/MIME digital signature
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20191021/6c3c8c83/attachment.bin>


More information about the mailmate mailing list