Macos – Generating certificate signing request in Keychain Access: which private key is used

csrkeychainmacosssl-certificate

I am wondering which private key Keychain Access in Mac OS X (Snow Leopard, now Lion) uses. Whenever I create a CSR using that app, it does not even ask for a private key to use. So which one does it use then?

I could imagine that it used the selected one, if you've selected one in your certificate list. But generating the request even works when nothing is selected at all or, making sure it's not an "invisible" selection, if the item that's selected is not a private key.

Does anyone know?

Thanks in advance

Arne

Best Answer

It generates a new public/private keypair when you create a CSR in Keychain Access. The name of the key will be what you entered in the "Common Name" field when generating the CSR.

If you would like to generate a new CSR from an existing key, I do not believe this can be done entirely within Keychain Access. For how to do it with Keychain Access and OpenSSL, see How can I use an existing private key to a new iOS development certificate?

Related Solutions

Macos – Remove private key from Mac OS X keychain using Terminal

There are several keychains on your system:

sudo security list-keychains
"/Users/JonDoe/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"

I think you imported it into the System-Keychain: First make a backup of your System Root Certificates before making any changes (or any other keychain you choose):

cd /System/Library/Keychains/
sudo cp SystemRootCertificates.keychain SystemRootCertificates.keychain.old

List all keychains / all certificates in your keychain:

ls -l /System/Library/Keychains/
sudo security dump-keychain /System/Library/Keychains/SystemRootCertificates.keychain

With the second command each certificate of the keychain is shown. Identify the certificate you want to remove. Then remove the certificate with the following command:

sudo security delete-certificate -Z <SHA-1 hash of certificate> /System/Library/Keychains/SystemRootCertificates.keychain
**alternative:**
sudo security delete-certificate -c <common name of certificate> /System/Library/Keychains/SystemRootCertificates.keychain

That's all. Now you can import your certificate again. In case of an error, you can restore your keychain with the following command:

sudo security import certificate_files_backup -k /System/Library/Keychains/SystemRootCertificates.keychain -t cert

Ios – Adding private key into iOS Keychain

The following code worked for me:

NSMutableDictionary *query = [[NSMutableDictionary alloc] init]; 
[query setObject:(id)kSecClassKey forKey:(id)kSecClass]; 
[query setObject:(id)kSecAttrAccessibleWhenUnlocked forKey:(id)kSecAttrAccessible]; 
[query setObject:[NSNumber numberWithBool:YES] forKey:(id)kSecReturnData];

//adding access key 
[query setObject:(id)key forKey:(id)kSecAttrApplicationTag];


//removing item if it exists 
SecItemDelete((CFDictionaryRef)query);

//setting data (private key) 
[query setObject:(id)data forKey:(id)kSecValueData];

CFTypeRef persistKey; OSStatus status = SecItemAdd((CFDictionaryRef)query, &persistKey);

if(status) {
    NSLog(@"Keychain error occured: %ld (statuscode)", status);
    return NO; 
}

Best Answer

Related Solutions

Macos – Remove private key from Mac OS X keychain using Terminal

Ios – Adding private key into iOS Keychain

Related Topic