Add to "My certificates" in Keychain Access? (Mac OS 10.10)
I have a certificate file like this:
-----BEGIN CERTIFICATE-----
MIIHCDCCBPC ....
I can get it to show up under "Certificates" by going to "File->import items" (it is the "Elin" one).
I can however not add it to "My certificates" which I think is necessary to have it show up when connecting to certain websites:
How do I get it over there? (Do I need to turn it into .p12 for example and in that case how?)
Solution 1:
Short version:
You can't use it as your certificate unless you have the private key that forms a matched set with the public key that's in the certificate. Go find where you left your private key and import that into the keychain, and Keychain Access will automatically see that it matches with the public key in that certificate and start showing that certificate in the "My Certificates" list.
Long version:
Certificates are public documents that you can freely distribute. They are just a way to securely link your identity (i.e. identifying information like your full name, username, email address, etc.) to your public key.
Since certificates are publicly distributable, simply having a copy of a certificate is not proof you are the person named in the certificate, or that the public key in the certificate is truly your public key.
To be able to prove that a certificate is yours, you must have the private key that forms a matched set with the public key contained in the certificate.
If you just have a .p7b or .cer or .pem file, it most likely just contains a certificate, but not the private key that goes with it.
Private keys must be kept completely secure and private and never given to anyone else. When stored on disk, they should be stored in an encrypted file that you need a passphrase to decrypt. The typical way to securely store a certificate along with the matching private key in an encrypted, password-protected file, is a .p12 (PKCS#12) file. See if you already have a .p12 file somewhere.
If Keychain Access shows a certificate in your personal keychain, but it doesn't show it in the "My Certificates" list, it means you imported just a certificate but not the private key that goes with it, so OS X can't tell that it's truly "yours".
You need to go find where your private key was stored when you first generated your public/private key pair. Generating a key pair is the first step toward getting a certificate. First a key pair is generated, then the public key, along with your identity information, is put into a Certificate Signing Request (a.k.a. CSR, req), and sent off to a Certificate Authority (CA) to be signed. The CA is supposed to verify your identity information and your public key, and then if it all checks out, they sign the CSR, creating a certificate. The signed certificate is sent back to you, and you have to match it back up with the private key you'd generated in the first step, in order to truly use it.
Note that the role of CA is nothing terribly special. It doesn't have to be some corporation like Verisign. Every personal computer OS contains all the software necessary to act as a CA. Keychain Access's Certificate Assistant feature will even walk you through setting up your CA setup for your own private use.
If you don't remember generating a key pair, you were probably using some software that did it automatically for you. For example, there's a special HTML tag that CA websites can use on their CSR web forms that tells your web browser to automatically generate a key pair and submit just the public key along with the web form. When you use Safari on such a form, the private key is stored in the user keychain for the OS X user account you're logged into. When you use IE in Windows on such a form, the private key is stored in the Windows equivalent of that (Microsoft calls this the user's "Certificate Store"; "store" as in "storage container" not "retail shop" :-).
I can't tell you where your private key is because I don't know what software you used to create it, and even if I knew that, I wouldn't know for sure where you told that software to save your private key. You'll probably have to sleuth that out yourself.
If you can't find your private key, you may need to consider it compromised and revoke your certificate (you may need to contact your CA to do that) and start over by generating a new key pair, creating a new CSR, having a CA sign it and issue a certificate, match it up with the new private key, etc. This is kind of like realizing that you're missing a copy of your house key, and choosing to have a locksmith rekey all your door locks just to be safe.
tl;dr: Go find your private key and import it into the keychain.