A S/MIME certificate can be store several different ways (see Apple’s kbase About certificate formats), but you will usually deal with .pem or .cer file for your public key, or a p12 file that contains both your Public and Private Keys. We can get our certificates by one of two ways:
Export from Keychain Access
Export using the security command
Keychain Access is by far the simplest method. Simply select your Public certificate, click on the pretty blue certificate icon at the top and drag-n-drop to your desktop. This saves the file in a .cer format and you can use QuickLook to see the contents.
(QuickLook of my .cer export from Keychain Access)
The second way is more interesting and leads us to use Terminal.
It’s always best to test before exporting items and assume that you have the correct information. So let’s shorten the command to
What we are doing is using the Mac OS X security command to find your certificate within the default keychain (your Login keychain), which is usually located at: /Users/yourusername/Library/Keychains/login.keychain. We find all the matching values by utilizing the “-a” flag. We want to do this because as time passes you are going to collect expired certificates and we want to keep old certificates just in case you want to decrypted a message in a couple of years. The next flag is “-e” for your email. Hopefully, this should return one result, but if not, you most likely have expired certificates (and that’s OK).
If you want to see your expired certificates, the easist way to do this is open Keychain access, enable View => “Show Expired Certificates” and find any records with your email address that has a red “X” (meaning “expired”). Once you know you have one certificate, include the “-p” flag for .pem file type and export (the “> ~/Desktop/myPublicCert.pem” section).
When you look at your myPublicCert.pem certificate through a text editor, it comes back with 30 or so lines with complete gibberish starting with “BEGIN CERTIFICATE” and ending with “END CERTIFICATE”. For Example:
If this makes any sense to you (other than… Oh, that is a pem output), you might need to get yourself check in an asylum. This should mean nothing to you, fortunately we can get a more human readable printout by using the openssl command.
We can now see that the entity who issued my certificate (The “third-party”) is “COMODO CA Limited”. My certification is valid until Jun 16 23:59:59 2012. This is a little easier to comprehend, and it also let us know that this is a certificate specific for the email address.
To export your public and private keys for backup purposes (remember… you do not want to lose this information or else you will never be able to open old emails), you can do this one of two ways Keychain Access or use the security command.
For Keychain Access you want to be sure you select the Category “My Certificates” section on the bottom left hand side of your Keychain Access window. This shortens you list of possible items you would want to export, while still having the option to select your Public and Private keys. Find your email address and click on the disclosure triangle and select both the certificate and the private key (icon looks like a key… how appropriate). You will now need to select File => Export Items (or Ctrl Click the certificates), and save the two items as one .p12 file. Once you click on OK, you will be prompted for a password. This is to ensure your private key is now encrypted using this password as part of the export algorithm. You may also be requested to “Allow” access to your Login Keychain.
You will not be able to read this file via a text editor, instead you can read the information by entering the following command:
This will display both your private and public keys in a .pem format. This is what allows Keychain Access to import your certificates and use for Mail in case you need to re-import the files to your machine or use for iOS (to be discussed on a later article).
To do this in Terminal, you unfortunately cannot specify the selection of one S/MIME email Public/Private key pair… as the security command is more of a “All or nothing” approach. This can be seen as a positive non-capable feature of the security command as you don’t have to worry about exporting each S/MIME certificate that you acquire over time as it’s all done at once. To do this we again go back to the security command:
This will grab EVERYTHING within your Login keychain that has a public and private key (See “My Certificates” in Keychain Access). You can test your export by creating a new Keychain and then importing your myCerts.p12 file.
The integrity of a single certificate file can be verified by: