I have my own root certificate that I have imported into my OSX 'login' keychain and told it to trust across the board. I am now creating a certificate for S/MIME. I create the CSR in Keychain Access and then sign it with the root key and certificate:
sudo openssl x509 -req -days 365 -in $1 \
-CA ca.crt -CAkey ca.key \
-set_serial 1 -out $2 -setalias $3 \
-addtrust emailProtection \
-addreject clientAuth -addreject serverAuth -trustout \
-extfile smime.extensions
where smime.extensions
contains the following:
basicConstraints=critical,CA:FALSE
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=emailProtection
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=email:copy
nsCertType=email
I get a generally good-looking certificate, but when I import it into the keychain on the OSX machine, it complains that "This certificate was signed by an unknown authority".
Am I missing something to make the proper connection between the CA certificate that I've imported and the S/MIME certificate? Thanks.
It turns out I was using the wrong public and private keys to sign the request.