Might be this can help you to solve the issue: In the attached gif is the ASN.1 decoded content of the PFX (upper part) and the decrypted content of the pkcs8ShroudedKeyBag's octet string (lower part).
A question regarding the Mac import attempt: Does the error occur before or after it asks for the password? (If it does not even ask for a password, the error must have to do with the upper part only.) Peter > Sent: Fri Nov 13 2009 Midori Green wrote: > > Dear Lou and Dr. Henson: > > Thank you again for e-mailing me with your assistance and suggestions, > it is greatly appreciated. > > I have tried both your suggestions, and specifically used the following > commands: > > openssl pkcs12 -export -clcerts -inkey midori.key -in midori.cert \ > -nomaciter -descert -name "Midori Green" -out midori1.p12 > > openssl pkcs12 -export -inkey midori.key -in midori.cert \ > -nomaciter -descert -name "Midori Green" -out midori2.p12 > > openssl pkcs12 -export -clcerts -inkey midori.key -in midori.cert \ > -name "Midori Green" -out midori3.p12 > > openssl pkcs12 -export -inkey midori.key -in midori.cert \ > -name "Midori Green" -out midori4.p12 > > But when I try to import: midori1.p12, midori2.p12, midori3.p12, & > midori4.p12, I always still get that error: > > CSSMERR_CL_UNKNOWN_FORMAT > > Note that I always import/export all PKCS12 and RSA private keys > with a decent and not-null password. > > Lou: it is especially good to hear from another Apple Mac user. > Unfortunately I have to use an existing RSA private key, since that > existing key and certificate key pair is currently also being used > within other applications. So I am prohibited from switching my > existing personal RSA key to a new one generated within the > Keychain Access application. > > Dr. Henson: I was able to create a test RSA private key in Apple's > Keychain Access, but I have not been able to create a corresponding > certificate for it yet. However, I was able to export that RSA private > key only (no cert) as PKCS12, which I have attached to this e-mail. > ("midori" is the PKCS12 password.) I can open this PKCS12 file with > OpenSSL and have successfully extracted the password and RSA > private key. :-) I have also been able to re-import that PKCS12 file > back into the KeyChain Access application. > > I would appreciate it, if Dr. Henson, you could examine the attached > file, and see if it possible to determine if OpenSSL can do the reverse. > (Take a existing RSA private key and create a PKCS12 file for it > without an certificate, and import that into KeyChain Access so that > it imports the RSA private key. > > Perhaps once the existing RSA private key is successfully imported, > I can then import the certificate in a separate PKCS12 file as Lou > described. > > Thanks.
<<attachment: midori-test.gif>>