What is the proper way to export a certificate sing the commandline tool 'security'?

I am trying to automate some certificate handling for our build system.

I am exporting my certificate using the following commands:

security create-keychain -p foobar tempKeyChain
security unlock-keychain -p foobar tempKeyChain
security add-certificates -k tempKeyChain  afile.cer
security export -k tempKeyChain -t certs  -f pkcs12 -o  afile.p12
security delete-keychain tempKeyChain

The .p12 file generated looks good and I can open it with the "Keychain Access" app and the certificate loaded looks OK.

The problem is that the build scripts perform the following:

security create-keychain -p password mytest
security unlock-keychain  -p password mytest
security set-keychain-settings -u -t 12000 mytest
security import afile.p12  -k mytest -T /usr/bin/codesign
1 certificate imported.
security set-key-partition-list -S apple-tool:,apple:,codesign: -k password mytest
security: SecItemCopyMatching: The specified item could not be found in the keychain.

Note the error returned by 'security set-key-partition-list' : "The specified item could not be found in the keychain."

If I take my afile.p12 load it into my key chain using the "Keychain Access" app and then export it from there as a p12 file and then execute the above code using the p12 file created by the the "Keychain Access" app the 'security set-key-partition-list' command works.

Can anyone explain this?

Answered by BarryL in 704604022

I have figured out what my problem was here. The reason for the error from:security set-key-partition-list was that the certificate did not include a private key.

As for how to use security to export a certificate: in my case the answer is don't.

Use openssl to generate the .p12 certificate file:

openssl pkcs12 -export -out afile.p12 -inkey privte.key -in certificate.pem

Can anyone explain this? security: SecItemCopyMatching: The specified item could not be found in the keychain.

Looking at your command and the tool under the hood it looks like your command is failing because there is no way for the set-key-partition-list command to match the key you are looking for to perform the desired action on. If you have a label being set on your key or an application label then I would try using the l or a arguments with this command so that the Keychain can attempt to locate the Keychain item you are wanting and run the command on that item. This would be the same way that querying a SecItem is done with SecItemCopyMatching.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Accepted Answer

I have figured out what my problem was here. The reason for the error from:security set-key-partition-list was that the certificate did not include a private key.

As for how to use security to export a certificate: in my case the answer is don't.

Use openssl to generate the .p12 certificate file:

openssl pkcs12 -export -out afile.p12 -inkey privte.key -in certificate.pem
What is the proper way to export a certificate sing the commandline tool 'security'?
 
 
Q