Root keychain certificates

Similar Messages

• Error -2147415740 from Keychain when importing a root CA certificate

  I've been given an iMac at work to use as my primary workstation, and work in an environment that uses certificate based authentication. I was provided the root CA certificate as a .pem file to import into my system, and every time I try, Keychain Access throws an error of "-2147415740".
  Running "openssl x509 -inform pem -in cacert.pem -text" shows the certificate as valid, and specifically:
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  RSA Public Key: (8192 bit)
  Modulus (8192 bit):
  I've seen a few other reports of this, and it seems to be tied to the certificate being signed with an 8192 bit key. Asking the company to change to a lower key to sign the certificate is not a possibility, as it would require redistribution across a high number of machines to work around what appears to be an OS X specific bug. Does anyone know a workaround?
  Out of curiosity, I took the certificate and imported it successfully into an iBook running OS X 10.4.0. The certificate continues to work all the way up to 10.4.8, but breaks once Security Update 2006-007 or 10.4.9 is applied. The certificate is also imported just fine on an iPad running iOS 4.2.1.
  For now, I have to avoid using any Apple provided tools, and many 3rd party OS X programs, negating the benefit of using OS X and an iMac.

  sigh
  Result 1, this thread
  Result 2, another person encountering the same problem and posted here on the discussion forums, unanswered, beyond me responding to see if it is the exact same situation I'm now running into.
  Result 3, a posting to the OpenCA users list, also confirming the problem, with no specific solution to the error. Only a workaround of resigning the CA with a 4096bit or lower key, a workaround that as I mentioned already, cannot be done here without forcing every other user in the company to do work for what appears to only be an OS X specific problem/bug.
  Please only respond again if you have an actual useful suggestion for this exact problem. These boards are to help facilitate discussion about problems leading to a solution. Neither of your generic responses has helped, and I'd appreciate it if you could avoid wasting more of my time following up on a new post notification.

• Export & Import Self-Signed Root CA Certificate?

  I have created a self-signed Root CA certificate with which I sign all of my other certificates on a leopard Server. This Root CA is installed and trusted on all of our client machines.
  I recently tested exporting and archiving the Root CA in every format available from Keychain Access and then tried to import these files into another Snow Leopard server and was unable to assign the imported Certificates as a "Default Certificate Authority".
  Does anyone know how I can set this Root CA that I created on another server as the default CA on this new machine for signing all future certificates that I create?
  Fore some reason when I go into Keychain Access and select: Keychain Access -> Certificate Assistant -> Set the Default Certificate Authority… I end up with no certificates to choose from and the "Add a Certificate Authority…" button will not allow me to select any of the exported certificate formats that I archived.
  Any thoughts?

  Anyone have any information at all? This seems like a very basic need for maintaining certificates beyond the usable life of the equipment on which they were created.
  I have found precious little information about this specific to Apple OS.

• I opened a file on my desktop that I don't remember putting there.  It turned out to be a keychain certificate from a client of ours.  Does this mean that they were spying on me?  What is the deal with that?  Any ideas?

  I opened a file on my desktop that I don't remember putting there. We use many photos and I thought it was a photo file I was looking for. It turned out to be a keychain certificate from a client of ours.  Does this mean that they were spying on me?  What is the deal with that?  Any ideas?

  Interesting tid bit.  I created an AAC of the original file, deleted the original MP3 from my library and also deleted the Clean matched track from the icloud.
  Result is that it matched with the explicit version of Mrs. Officer this time.
  What I am curious about is which songs this is happening for. I've went thru a few batched of about 500 songs at a time and redownloaded in 256k for many tracks. Sadly we don't have people to bring this to our attention and I have so much music that it's impossible to go thru every song to make sure I am getting the right version.

• Keychain Certificate Assistant User interaction is not allowed

  Hi Guys,
  I have a problem with my keychain certificate assistant and require your help with it.
  hope to have someone who have the same plight as me.
  I am trying to use the certificate assistant to request an certificate from CA.
  However i encount this error.
  USer interaction is not allowed
  I tried to sent to email and failed too witht the same error.
  I have also try to repair via firstaid and all are fine.
  Also tried to unlock my keychain but nope still can't
  Any help?

  Try running a permissions fix routine on your hard drive using Disk Utility, and then try resetting your home folder permissions by booting to the Lion recovery HD partition (reboot with Command-R held down) and then opening the Terminal (in the Utilities menu) and running the command "resetpassword," which will launch a small password and permissions reset tool. In this tool, select your account and then click the button to reset home folder permissions and ACLs.
  After this is done, reboot normally and try creating the certificate again.

• New deploy child domain certificate server didn't publish root trust certificate to the client

  Child domain certificate didn't install into child domain workstation.
  https://support.microsoft.com/en-us/kb/281271?wa=wsignin1.0
  Certification Authority configuration to publish certificates in Active Directory of trusted domain
  Any advise?
  Thanks.

  Hi,
  >>New deploy child domain certificate server didn't publish root trust certificate to the client
  Is this an enterprise root CA or standalone CA?
  If it is an enterprise root CA, it will automatically use Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. If it is an standalone CA, we can configure GPO
  to distribute the certificate.
  Regarding how to use policy to distribute certificates, the following article can be referred to for more information.
  Use Policy to Distribute Certificates
  https://technet.microsoft.com/en-us/library/cc772491.aspx
  We can run command gpupdate/force to immediately update group policy and then we can refresh the certificates in certmgr.msc to see if the certificate will come up.
  Besides, for certificate questions, we can also ask for suggestions in the following forum.
  Security
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Preferences and Keychain certificate problems

  I was having a problems with the directory paths on my computer. So I had some IT guy come in and work on my computer at work. Anyway, whatever he did he wiped out all my keychains and preferences. Now I can't save any preferences. I have made sure that they're unlocked, but not matter what I do I can't save any preferences. Desktop, dock, nothing. Also, the keychain certificates are not messed up. When I launch Safari I get the keychain certificate not found. So, I can't save bookmarks or add anything to my bookmarks bar.
  How do I fix this problem?

  To start with you can run Disk Utility and repair permissions.  This may not take care of them all but at least some major preference settings should be adjusted correctly.

• Root CA certificate marked as non-exportable

  Hello All.
  I've found myself with an odd issue. A few months ago I migrated from an old 2008R2 Enterprise CA to a new 2012R2 Core Enterprise CA. I exported the Root CA cert from the old server using the following:
  certutil.exe backupkey C:\Temp\Migration
  That made a P12 file with the private key. I then imported the Root CA on the new server (after decommissioning the old server, installing ADCS, etc) using this command:
  certutil.exe importpfx "blah.p12"
  I continued the rest of the CA Migration steps per TechNet articles (http://technet.microsoft.com/en-us/library/31eca881-0744-447a-ae7a-597310b9d9bf(v=ws.10)#BKMK_PrepDest
  http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx).
  Things have been fine for months but I wanted to do a scheduled backup of our CA cert and got an error:
  C:\Scripts>Certutil.exe -p Blah -backupkey
  CABackupCertUtil: -backupKey command FAILED: 0x8009000b (-2146893813 NTE_BAD_KEY_STATE)
  CertUtil: Key not valid for use in specified state.
  This error appears to be because my Root CA cert is marked as non-exportable. I verified this by using the Certificates MMC and the option is greyed out.
  My understanding is that importing a PFX with no options marks the private key as exportable but for some reason mine didn't. I'm not sure why but the issue at hand is to fix this for the future.
  I can see 2 possible options. To re-import the P12 file (I still have the original file) or to possibly renew the Root CA certificate although I'm not sure if that will allow it to be exportable.
  We have a lot of certificates issued by this new CA so I'm looking for suggestions or caveats since I can't find anyone else with similar issues.
  Thanks!

  > Would I have 2 CA certificates when I look at the properties of the CA in the MMC?
  you can delete existing key from the store and re-import from PFX file.
  > My understand was that it imports by default with the private key being exportable
  Not sure about certutil (haven't used this parameter for a while). You can try to run it again and check whether it will allow key export.
  > Would I have 2 CA certificates when I look at the properties of the CA in the MMC?
  no, you will still see the same certificate list as before, because this list is maintained by renewals and internal CA database information.
  > Or do you think it would be as easy as re-importing?
  Re-import will solve the issue. If certutil won't help, then use MMC.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new:
  SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Root CA Certificate expired in WTK

  Hi, does anybody knows how to renew root CA certificate for WTK? The one that is inlcuded with WTK is expired.
  Thanks

  Hi there,
  Did you ever find a solution to this problem? Im having a similar problem with a midlet connecting to a https webpage. I get a root ca's certificate expired in wtk 2.
  Any suggestions would be great....thanks

• How to import Root CA certificate (Firefox 22)on windows using certutil? what are the dlls required?

  I was using certutil from my application to import root CA certificate, but it it started complaining about missing dlls after Firefox 18. What are the dlls required.
  It will be appreciable if some one can give the code of Firefox (What they use), to import root CA certificates.
  Thanks

  I found the following with a google search. Hope it helps.
  *https://support.mozilla.org/questions/955513 How to add a private SSL root certificate authority
  *https://support.mozilla.org//questions/952035 Where can I download certutil.exe and the NSS Utils for Windows
  *https://www.felixrr.pro/archives/165/mozilla-nss-utils-with-nspr-compiled-for-download
  *http://wiki.cacert.org/FAQ/BrowserClients#Mozilla_Firefox

• Reinstall deleted Keychain Certificates

  Hello. I thought it would extremely wise to go ahead and delete all of the x.509 certificates in Keychain. I had a great time doing it and look forward to doing it again someday!
  Okay. Actually I won't do it again. I don't want to discuss it. What I would like to discuss is how do I go about getting the certificates back in there. Is there something on the Tiger install disk? I didn't see any way to just install certificates or just install Keychain.
  My Mac experience is now very annoying without my Keychain certificates. I wish they were back in my Keychain now. I miss them.
  Looking forward to some professional help.
  G
  iMac G5   Mac OS X (10.4.8)  

  kofi567 wrote:
  What I suggest is to ask someone you know to copy the app Keychain Access and send it to you via e-mail
  that's not allowed both by the leopard ULA and by the forum rules.
  to the original poster. open the install disk using Pacifist and enter "Keychain Access" in the Pacifist search window. it will find it for you on the install disk.

• Intermediate CA certificate and the Root CA certificate

  HI
  What are Intermediate CA certificate and the Root CA certificate ??
  What is the difference between these two types of certificates ??
  What are all the other alternative names that are used with these names ??
  thanks
  kumar

  Hi,
  An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate.
  The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.
  Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.
  Refer
  https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0
  The advantages of using intermediate certificates u2013 Sometimes referred to as u2018chainingu2019
  http://www.whichssl.com/intermediate_certificates2.html
  Root certificate
  The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in the Internet browsers by their manufacturers.
  a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority (CA). A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA).
  http://support.microsoft.com/kb/887413
  Thanks
  swarup

• Keychain & certificates

  How do I stop mail from asking for a keychain password all the time? can it be switched off? Also I have three certificates that come up with a red x and "This root certificate is not trusted" could some one please explain this to me.
  Thanks

  Launch Keychain Access->login.keychain->find the one for your email, delete it, and quit KA. Launch Mail and put in username and password combo and save it to the keychain. That should fix that issue.
  Click on the Desktop->Help->Mac Help->search for certificate and be overwhelmed.

• I deleted all my Keychain Certificates

  Must have been during a rabid senior moment. Now I get all these untrusted certificate messages in email and Safari, and they are going into Keychain. However as best as I can tell, I need to obtain a Root Certificate from the Certificate Authority (CA) or the Issuer who appears to be VeriSign. Evidently one can spot the Root Certificate because they have nice golden borders vice the plain blue borders, and they are supposed to live in the X509Anchors. This is what I THINK that I understand. However, when I tried an online chat with a VeriSign rep. it rapidly went down hill and he talked about thousands of certificates and CAs etc. I did mention that to date every certificate that I have seen appears to have been issued by them; _VeriSign Class 3 Public Primary Certification Authority - G5.cer_
  I did get an email address and have tried the Keychain Access Certificate Assistant - Request a certificate from an existing CA. I am waiting to see what that will result in.
  However, I am curious to see if there are others out there who have experienced this and if they have gotten a real fix.
  Thanks,
  DN

  Hi DN, I've seen this a few times, the cure is to restore from a backup, copy from another machine, do an Archive & install, or try these...
  http://web.fastermac.net/~bdaqua/X509Anchors.zip
  http://web.fastermac.net/~bdaqua/X509Certificates.zip

• HOW TO INSTALL ROOT (Authority) CERTIFICATES ON S4...

  Recently i bought a 6500 Classic and stupidly deleted my Authority Certificates.
  After trwaling the net for info on how to re-install certificates i couldnt find an answer apart from NO YOU CANT DO THIS.
  Well to that i say NUTS!!! because you can and i will show you how by simply following these steps.
  1. Create a New Folder on your desktop and call it whatever you like.
  2. Open notepad on your computer.
  3. Copy the text below into the Notpad file. (I got this from some website as they were using it for smething else but it does work so thanks to them or thanks to you if this is yours)
   <?xml version="1.0"?>
  <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <title>Install root CA</title>
  </head>
  <body>
  <p>
  <a href="der1.cer">Download a CA Cert1</a>
  <a href="der2.cer">Download a CA Cert2</a>
  <a href="der3.cer">Download a CA Cert3</a>
  <a href="der4.cer">Download a CA Cert4</a>
  <a href="der5.cer">Download a CA Cert5</a>
  <a href="der6.cer">Download a CA Cert6</a>
  <a href="der7.cer">Download a CA Cert7</a>
  <a href="der8.cer">Download a CA Cert8</a>
  <a href="der9.cer">Download a CA Cert9</a>
  <a href="der10.cer">Download a CA Cert10</a>
  <a href="der11.cer">Download a CA Cert11</a>
  </p>
  </body>
  </html>
  4. Save the Notpad file as type ALL FILES but when naming it just call it cert.html and save it to the folder you created on your desktop earlier.
  5. Now downlaod the Root Certificates you need to the same folder on your Desktop.
  6. When saving the first Certificate to the folder call it der1 ((make sure not to take out the file extension eg .cer)) then the second der2, third der3 and so on and so on till you get to der11. (Dont worry this will not rename the certificate when it installs on your phone.)
   Example of what the files in your Desktop folder should be called der1.cer, der2.cer etc etc.
  7. Now transfer the whole folder from your Desktop to your Mobile phone. (I did this by using Nokia PC Suite.)
   8. When the folder with the certificates and hmtl we made have been transfered to you phone navigate using your phone to that folder.
  9. Go into the folder and open the cert.html file. (Your browser will now open a page with 11 download links available)10. Now all you have to do is click on each link and accept each certificate remembering to save and they will install on your phone. (On my 6500 Classic i can check this by Navigating through my phone to Menu>Settings>Security>Authority Certificates)
   Notes:- Some errors you may receive when trying to download the certificates through your phone browser may be Already Exists, Expired Certificate and the most annoying is Corrupted Certificate.
  Already Exists - Shouldt allow you to save (DO NOT SAVE IF IT ALLOWS YOU)
  Expired Certificate - (DO NOT SAVE)
  Corrupted Certificate - Install the certificate on your computer first, then go to Tools>Internet Options>Content>Certificates.
  (save the certificate to other people tab) Browse for the certificate you installed then export it in DER format to the Desktop Folder you created then start process over again to get it onto your phone.
  Remember to delete any certificates as you go that you have already installed so you dont get mixed up.
  Any issues reply and i will do what i can to help and if anyone has Hutchinson 3G Root Certificates please let me know.
  Thanks.
  Message Edited by andyhardie on 15-Jul-2009 04:05 PM

  I have nokia 6300 s40v3 and when I tried to open cert.html it showed format unknown.
  What should I do. Can you tell me the format of bookmark so that can rename it to cer.(format)
  sir please give some guidense its very urgent
  reply at *******
  MODERATOR'S NOTE:
  Personal details removed by a moderator. We kindly ask you not to share your personal e-mail address or any other personal information publicly on this forum. This is for your personal safety and privacy.
  Message edited by Aikin19