|
|
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
(3) Enabling Intermediate CA Certificates - SystemCACertificates Many of you who are new to PKI/Smart Cards on Mac OS X as well as some who were not aware of changes made for v10.5.x will want to review this carefully. Customers Impacted: US Federal PKI/Smart Card Users Platform(s) Affected: Mac OS X 10.5.x Service(s) Affected: Certificate Trust Path Validation Previous User Experience: Previous to upgrading to Mac OS X 10.5, US Federal PKI/Smart Card users were able to verify complete trust path validation with certificates on their Smart Cards or ones received from other US Federal users after performing one of the following two steps: (a) Enabling the pre-populated X509Certificate Keychain -or- (b) Adding any missing US Federal Intermediate Certificates to the user -OR- System keychain Prior to Mac OS X 10.5, it was necessary to enable the X509Certificates keychain (add the file-based keychain to the keychain list). Mac OS X 10.5 user Experience: Leopard's Trust Model changed from previous versions of Mac OS X and along with it the corresponding Keychain names and usage. Mac OS X 10.4 Keychains and description 1) X509Certificates /System/Library/Keychains/X509Certificates Pre-populated Intermediates 2) X509Anchors /System/Library/Keychains/X509Anchors Trusted Anchors (Required) Mac OSX 10.5 Keychains and description 1) SystemCACertificates /System/Library/Keychains/SystemCACertificates Pre-populated Intermediates 2) System Roots /System/Library/Keychains/SystemRootCertificates Immutable Trusted Roots This SystemCACertificates Keychain has all of the DoD Intermediate Certificates up to and including #1 thru #18: CA-XX DOD EMAIL CA-XX The new System Roots keychain has all of the corresponding US Federal Trusted Roots: Common Policy FBCA - US Federal Government DoD Class 3 Root CA DoD Root CA for CA-1 ... CA-10 DoD PKI Med Root CA DoD Root CA 2 DoD Root CA for CA-11... CA-20 The additional CA-19 & CA-20 will be added in a subsequent Software Update. Mac OS X 10.5's Trust Model allows for the setting of trust to be assigned to Any certificate in the chain. Trusted Root <--> Intermediate(s) <--> Leaf Certificate This means that it is no longer necessary for Trusted Root CA Certs to be in any specific keychain. When importing a new Root, you will be asked wether you want to trust it for a particular user or all users. If you trust for all users, it will require admin credentials and will also import the cert into the System Keychain. This is nicely covered in my WWDC 2007 Presentation: 514 - Understanding PKI Certificate Management - Shawn _____________________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Do not post admin requests to the list. They will be ignored. Fed-talk mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
| References: | |
| >[Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites (From: "Shawn A. Geddis" <email@hidden>) |
| Home | Archives | Terms/Conditions | Contact | RSS | Lists | About |
Visit the Apple Store online or at retail locations.
1-800-MY-APPLE
Contact Apple | Terms of Use | Privacy Policy
Copyright © 2011 Apple Inc. All rights reserved.
