On Apr 29, 2005, at 11:42 AM, Lawlin, David C CIV (NAVAIR 4.1.3) wrote:
I have tried, unsuccessfully, to use NMCI WEBMAIL using my
Powerbook running 10.3.9 and as of last night 10.4.
I imported my NMCI Certificates into the KeyChain manager but when
I go to https://webmail.nmci.navy.mil it informs me that I do not
posses a valid certificate. I do have PKI card but not a reader
however, my understanding, according to Shawn and the experience of
a colleague who has successfully done so without using his CAC
card, is that I should be able to do so.
David,
If you have attempted to access the above website, you are using a
"Soft Cert" and it still says you do not posses a valid certificate
than I would have to assume that you did not add the X509Certifcates
keychain to your keychain list. Noted in a message earlier today:
The DoD Intermediate CAs are not available to the Keychain List by
default
-- Federal Customers within DoD will need to add the
"X509Certificates" to the list
a) Launch Keychain Access
b) Select "Edit -> Keychain List"
c) Select "Show: Mac OS X (System)"
d) Check "Shared" checkbox next to
"X509Certificates" (/System/Library/Keychains)
e) X509Certificates will now appear in the Keychains
List and will be available for
Intermediates for the whole trust path
validation.
The problem you experienced is that the Intermediate Certificates
located in the "X509Certificates" were not available to the system
and hence the OS could not generate a validated trust path from the
client cert all the way thru to the Trusted Root CA Certificate which
is located in the "X509Anchors" keychain.
Everyone can validate if this is the case they are experiencing if
they too have this problem.
How to Validate you have a complete Trust path of Certs for your Soft
Cert or Smart Card:
------------------------------------------------------------------------
---------------------------------------
1) Check your Personal Certificates' information and note the Issuer
Name - Common Name
For Example: DOD CLASS 3 EMAIL CA-3
2) Locate the Above Issuer's Certificate (most likely in the
X509Certificates keychain)
3) Identify and note the Issuer Name - Common Name of this Certificate
For Example: DoD CLASS 3 Root CA
4) Identify and note the Issuer Name - Common Name of this
Certificate -- Should be itself!!!!
For Example: DoD CLASS 3 Root CA issued the DoD
CLASS 3 Root CA Cert (Self-Signed)
*** Full Trust Path Validated!
-Shawn
Shawn Geddis T (703) 264-5103
Security Consulting Engineer C (703) 623-9329
US Federal Government email@hidden
Apple Computer, Inc.
1892 Preston White Drive
Reston, VA 20191
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden
This email sent to email@hidden
