Hi,
I needed a standalone CA (and some issued certificates) for testing I needed to do in a Azure development tenant (i.e. an iOS device VPN authentication against a point-to-site virtual network gateway).
Anyway I used Keychain Access (/Certificate Assistant) to create a local CA via the “Create a Certificate Authority…” option. Doing that successfully gets through to the end.
Next I created a CSR via Keychain Access’s “Request a certificate from a certificate authority…” and saved to disk.
Anyway after that I have attempted to issue the cert for the CSR via Keychain Access’s “Create a certificate for someone else as a certificate authority…” (also tried just double-clicking the .certSigningRequest file), chose my new local issuing CA, chose the CSR and attempted to generate. It simply gets to the final “Finishing Up…” / “Creating a certificate…” window and never stops spinning.
In Console.app filtered to Process=Certificate Assistant is something like the following which could be related:
default 13:27:05.493340+1000 Certificate Assistant MacOS error: -25294 Subsystem: com.apple.securityd Category: security_exception
I’ve tried multiple accounts, multiple Macs, 11.4 and 12, all different options of Key size, and “let me specify ….” Options I could think of.
In the end I couldn’t get a certificate using the local CA to issue via Certificate Assistant, however in 12 Beta using the beta Server.app I could get a certificate issued using its “Create a certificate identity…” option under the [+] menu of the Certificates section.
Any ideas of why the normal Keychain Access / Certificate Assistant method of generating the certificate for a local CA may not be working. I've tried some many options (including a new 11.4 VM with a new admin test user etc.) that unless I'm overlooking something obvious (possible since I'm not a PKI expert) that it just doesn't seem to work out of the box even on a new installation.
Thanks Peter