Mac OS: Import Email Certificate in Keychain : CheapSSLSecurity

When your personal authentication certificate is issued, you can obtain it a couple different ways. However, the certificate is not provided in a format that works right away on Mac, so you will need to take an extra step to reformat it.

Collect Certificate from Sectigo

Sectigo will email you a link to collect the certificate once it is issued. On the collection page you can click the Download Certificate button to receive it as a PKCS#7 (P7B) file. This type of file includes your email certificate and the certificate authority's chain certificates.

On this page, there is also an option to "Generate certificate bundle" by uploading your private key. While it is possible to export the private key from keychain, it can be a little difficult to convert the key file so that the collection site will accept it. We recommend just downloading the P7B file.

Reformat Certificate

The P7B certificate is not formatted correctly for your Mac, so if you try to install this file you will encounter an error.

To reformat the certificate, you can use the CertLogik Certificate Decoder tool.

Open your certificate P7B file with TextEdit. Select All and copy all the text.

Paste the text into the CertLogik decoder tool, then click Decode.

The tool will reformat the certificate and apply the necessary header and footer.

Copy all of the new text from -----BEGIN CERTIFICATE----- through -----END CERTIFICATE----- and paste over the old certificate in TextEdit. Make sure you replace all of the old text before saving the file.

You can now import the P7B into Keychain. Either double-click on the file itself, or in Keychain, click File, then Import Items, and select the P7B.

Possible Errors

"An error has occurred. Unable to import an item. The contents of this item cannot be retrieved."

This error occurs when the certificate is not properly formatted or is not recognized as a valid certificate. Please use TextEdit to check the formatting before importing again.

Error: -26276

This error is typically a false alarm. It can occur even when the certificate is successfully imported into Keychain. You should be able to locate the certificate by searching in Keychain for the user email address.

Exporting the Certificate

You can make a backup copy of the certificate by exporting the certificate and its private key from Keychain. You will end up with a PKCS#12 file which can be installed on other machines.

To export, first search the email address to isolate the certificate and key (although there may be a few extra items - check the expiration date on the certificate to make sure it's the right one). Hold the Command button and click and highlight both the certificate and the private key.

Click File and click Export Items. You will be prompted to enter a file name and select a location for the certificate. The File Format must be Personal Information Exchange (.p12).

You may be required to create a password on this file which you'll need to enter whenever you install the certificate on another device.