[Openswan Users] Re: MacOSX 10.4.2

Alan Whinery whinery at hawaii.edu
Thu Jul 14 11:57:47 CEST 2005


For what it's worth, regarding certificate import and such -- I'm still 
working, but this is interesting:

What root can do that regular administrative user cannot do, is import 
the certs/key from the pfx file to the System keychain. (Instructions 
for selecting the proper keychain are at the bottom of this message.)

Regular administrative user can import a cert (not a key, though) from 
its .pem file, just not from the archive, else he gets a window saying 
"An error has occurred. Unable to import an item. CL_INVALID_FIELD_POINTER".

The above error box has a simultaneous sister-entry in /var/log/system.log:

Jul 14 10:23:03 itsstaffs-Computer /Applications/Utilities/Keychain 
ontents/MacOS/Keychain Access: Couldn't create temp file 
KYxbwG7-piyfx: Permission denied

Which suggests that there's a directory that isn't writable to Regular 
Administrative User.

The output of ls -al with current directory /Library/Keychains looks like:

total 48
drwxr-xr-x    4 root  admin    136 Jul 14 10:15 .
drwxrwxr-x   44 root  admin   1496 Jul 13 01:00 ..
-rw-r--r--    1 root  admin      0 Apr 22 09:58 .fixed
-rw-r--r--    1 root  admin  22248 Jul 14 10:15 System.keychain

which shows that the /Library directory is writable to group "admin", 
but the /Library/Keychains directory is not.

Do a :
cd /Library
chmod 775 Keychain

and suddenly the Regular Administrative User will be able to import from 
the .pfx archive.

The pregnant question is:
Can this permission change be left alone and be secure, or should we put 
things back where we found them? If you look at the general "ls -al" of 
/Library, there is an interesting assortment of permissions, and some 
are group wheel versus admin. Has Apple just been sloppy, or is there 

Once you have imported from the PFX file that Jacco sent me, which is 
CA=Xelerence, so I assume it's what Paul has, you have a client cert and 
key and a cacert in the System keychain. the CA cert doesn't do anything 
in the system keychain, so it may be that it should be distributed as a 
separate .PEM file and imported into X509 Anchors on its own.
Accessing Keychains with Keychain Access (partially complete)

NOTE: You may need to clean up the detritus from previous attempts, so it
doesn't get confusing.  So take the following steps as sort of a tour of
Keychain Access and OSX keychains, and realize that you might go back and
delete everything that you do the first time, plus what's laying around
from previous tries, and start over.

There are three relevant keychains in OSX:

1) The Login Keychain. A certificate installed here will not be used for
IKE. This is the default keychain for imports with Keychain Access, and
with the "login" certificate in Internet connect. For VPNs, "Login" is
mostly relevant for its irrelevance.

2) The System Keychain. This is where your VPN cert goes, in order to be
presented for an IKE negotiation. Being here makes it a "machine"

3) The X509Anchors Keychain. This is where your CA cert goes, in order
to be considered trustable and valid.
Using Keychain Access to access keychains:

1) As a user with administrative privileges (not necessarily root), open
the Keychain Access application (/Applications/Utilities/Keychain Access).

2) Click on the "show keychains" button in the lower left-hand corner of
the application window.

3) An additional pane should appear in the left column of the window,
listing the 3 keychains mentioned above. The padlocks next to System,
X509Anchors, and X509Certificates are probably locked.

4) Select the System Keychain in the left upper pane with a single click.

5) Right above the Keychain List pane, beneath the red-yellow-green
LED-stoplight-looking buttons, is a padlock and the directive "Click to
unlock the System keychain". Click on the padlock.

6) A window should pop up asking for your password. Enter it.

7) You may hear a noise that doesn't sound like a padlock unlocking, and
all three locked padlocks in the Keychain List pane will unlock.

8) Now there is an invisible opening in the rock wall to your left. 
Enter to receive full health and 250 rounds of ammo for your Desert 
Eagle. (Actually, I just haven't written past this yet, but mess with 
File-Import to proceed.)

More information about the Users mailing list