Might be this can help you to solve the issue: In the attached gif is the ASN.1 decoded content of the PFX (upper part) and the decrypted content of the pkcs8ShroudedKeyBag's octet string (lower part).
A question regarding the Mac import attempt: Does the error occur
before or after it asks for the password? (If it does not even ask
for a password, the error must have to do with the upper part only.)
Peter
> Sent: Fri Nov 13 2009 Midori Green wrote:
>
> Dear Lou and Dr. Henson:
>
> Thank you again for e-mailing me with your assistance and suggestions,
> it is greatly appreciated.
>
> I have tried both your suggestions, and specifically used the following
> commands:
>
> openssl pkcs12 -export -clcerts -inkey midori.key -in midori.cert \
> -nomaciter -descert -name "Midori Green" -out midori1.p12
>
> openssl pkcs12 -export -inkey midori.key -in midori.cert \
> -nomaciter -descert -name "Midori Green" -out midori2.p12
>
> openssl pkcs12 -export -clcerts -inkey midori.key -in midori.cert \
> -name "Midori Green" -out midori3.p12
>
> openssl pkcs12 -export -inkey midori.key -in midori.cert \
> -name "Midori Green" -out midori4.p12
>
> But when I try to import: midori1.p12, midori2.p12, midori3.p12, &
> midori4.p12, I always still get that error:
>
> CSSMERR_CL_UNKNOWN_FORMAT
>
> Note that I always import/export all PKCS12 and RSA private keys
> with a decent and not-null password.
>
> Lou: it is especially good to hear from another Apple Mac user.
> Unfortunately I have to use an existing RSA private key, since that
> existing key and certificate key pair is currently also being used
> within other applications. So I am prohibited from switching my
> existing personal RSA key to a new one generated within the
> Keychain Access application.
>
> Dr. Henson: I was able to create a test RSA private key in Apple's
> Keychain Access, but I have not been able to create a corresponding
> certificate for it yet. However, I was able to export that RSA private
> key only (no cert) as PKCS12, which I have attached to this e-mail.
> ("midori" is the PKCS12 password.) I can open this PKCS12 file with
> OpenSSL and have successfully extracted the password and RSA
> private key. :-) I have also been able to re-import that PKCS12 file
> back into the KeyChain Access application.
>
> I would appreciate it, if Dr. Henson, you could examine the attached
> file, and see if it possible to determine if OpenSSL can do the reverse.
> (Take a existing RSA private key and create a PKCS12 file for it
> without an certificate, and import that into KeyChain Access so that
> it imports the RSA private key.
>
> Perhaps once the existing RSA private key is successfully imported,
> I can then import the certificate in a separate PKCS12 file as Lou
> described.
>
> Thanks.
<<attachment: midori-test.gif>>
