[Fed-Talk] Re: soft certs in mail and safari
[Fed-Talk] Re: soft certs in mail and safari
- Subject: [Fed-Talk] Re: soft certs in mail and safari
- From: Shawn Geddis <email@hidden>
- Date: Mon, 20 Sep 2004 20:57:26 -0400
On May 25, 2004, at 7:00 PM, Brian Cadwell wrote:
Due to an unbelievable amount of local red tape I've been unable to
get actual DOD soft certificates from our LRA so that I could test
functionality of Mail.app and Safari in the DOD PKI environment. I've
resorted to obtaining similar certificates from the DOD's Interim
External Certificate Authorities (IECA -
http://iase.disa.mil/pki/eca). I obtained 2 certificates (Identity and
singing/encryption) from Operational Research Consultants (ORC) for
$150. My understanding is that these certificates are part of the DOD
PKI program (officially issued by DOD through the vendor) but they are
not signed by DOD, or saying it another way, they are self signed and
have associated root certificates. If you are authoring services that
use DOD PKI make sure you recognize these IECA/ECA certs so that DOD
contractors aren't needlessly denied access to your good stuff.
Can anyone provide step by step instructions on how to get these
personal certificates working in Safari and Mail.app? It would be
useful for 1) my users, and 2) the vendors of these certs (ORC
apparently doesn't do MAC). Configuring Netscape on OS X is pretty
straight forward and I've used that platform to verify that the
certificates were working.
I am aware that there is some documentation
(http://docs.info.apple.com/article.html?artnum=25555) for setting up
keychain and Mail.app but it seems less than accurate. In a nut shell,
once you've allowed Mail.app access to your email private key, and
you've created an email account with an identical email address (very
case sensitive), it is just supposed to work. I've managed to get my
private/public key pair imported into my keychain and it is currently
working with Mail.app, but it only started working (recognizing and
the certificates, signing and encrypting messages) until I sent myself
a mail from a correctly configured Netscape mail app. I can't tell
that to my users.
I've also noted that Mail.app seems to mark DOD signed messages valid
or invalid randomly after subsequent checking. Does this have
something to do with DOD CRLs being randomly available? Can I change
the default CRL location in OS X in association with certain root
certs?
I have no idea how to get Safari working with my private key so I can
get access to here: https://warlord/spawar.navy.mil/PKI. It works for
me from Netscape, so I'm sure that site correctly recognizes the ORC
certificate. Any ideas? I've given Safari access to the private key
associated with my Identity certificate and I even tried adding the
ORC root certificate to the /System/Library/Keychains/X509Anchors
keychaoin using the certtool. No luck.
Help if you can. Thanks,
In general, are folks still having issues with understanding and using
Certificates with Mail.App, Safari, Entourage 2004, ... ?
-Shawn
___________________________________________
Shawn Geddis T (703) 264-5103
Security Consulting Engineer C (703) 623-9329
US Federal Government email@hidden
Apple Computer, Inc.
1892 Preston White Drive T (703) 264-5100
Reston, VA 20191
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden