1

I'm trying to export Certificate key "Apple Push Service" from MAC machine (for Google Cloud Messaging porpoises). this key I just created it with below steps from Apple web site

To manually generate a Certificate, you need a Certificate Signing Request (CSR) file from your Mac. To create a CSR file, follow the instructions below to create one using Keychain Access.

Create a CSR file.

In the Applications folder on your Mac, open the Utilities folder and launch Keychain Access.

Within the Keychain Access drop down menu, select Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.

  • In the Certificate Information window, enter the folwing information: In the User Email Address field, enter your email address. In the Common Name field, create a name for your private key (e.g., John Doe Dev Key). The CA Email Address field should be left empty. In the "Request is" group,

    select the "Saved to disk" option.

Click Continue within Keychain Access to complete the CSR generating process.

I created the certificate the I need to export it to .p12 file to complete my process.

So I did the process as below (go to keychain and try to export) enter image description here

then when I try to write my password nothing happens, no error and no export (Nothing)!!!!

enter image description here

I'm sure my password is correct, and to be sure I reset my keychain "login" again , then restart the MAC machine, and try again, but still not working!!

I also tried to Export the key by command line below

security export -k login.keychain -t all -f pkcs12 -P myPasswordHere

But not working too with below error

security: SecKeychainItemExport: A cryptographic verification failure has occurred.

I even tried to delete this certificate and redo it again, and even I tried to reset all my login keychain and redo everything anain, but this also didn't help!!

Any help how can I export this certificate??? Thanks.

Tarek El-Mallah
  • 4,015
  • 1
  • 31
  • 46

1 Answers1

0

I knew the answer of my question and I thought to share it, it may help.

That problem is due to I was try to export certificate from keychain using VNC remote. according to Apple site, from MAC update 10+ there is a security enhancement that prevent exporting certificate from keychain if you are using any remote tool, you should be able to do that only on the physical machine.

details in below link

https://discussions.apple.com/thread/7305746?tstart=0

"the problem was working on these machines remotely via Apple Remote Desktop. With the 10.11.1 update, Apple introduced a "security fix" that disabled the ability for non-physical devices to interact with the Keychain. You can see the details of this "fix" here (scroll all the way to the bottom of the page and look for CVE-2015-5943 for a full description):

About the security content of OS X El Capitan v10.11.1 and Security Update 2015-007 - Apple Support "

You can confirm this being the issue with your machine if you view the system logs via the Console.app. When you click on "Always Allow", you should see the following in the logs: 

Ignoring user action since the  dialog has received events from an untrusted source

Basically, your click is being registered as a "synthetic click". In my case, this was because I was using Apple Remote Desktop (I also tested various other remote apps I use, like TeamViewer and iTeleport Connect, and all resulted in the same error in the logs). Basically, this affects any screen sharing app. My solution was to drive into the office and physically click "Always Allow" on each machine. Yay. Thanks Apple! Great "fix"!!!

After I went and try physical access to the MAC server, the problem solved and I was able to export certificate from the login KeyChain.

Tarek El-Mallah
  • 4,015
  • 1
  • 31
  • 46
  • I'm surprised that *sometimes* this works with desktop automation software - sometimes it doesn't recognize the forms though. – NoBugs May 26 '16 at 21:47