Re: [Fed-Talk] Getting public certs out of Exchange
Re: [Fed-Talk] Getting public certs out of Exchange
- Subject: Re: [Fed-Talk] Getting public certs out of Exchange
- From: Arthur Gelvin <email@hidden>
- Date: Wed, 20 Dec 2006 11:55:57 -0900
- Thread-topic: [Fed-Talk] Getting public certs out of Exchange
This may be redundant for this list, I've just recently joined, due to
issues dealing with Mac and CAC's.
1. Look in at your certificates on the smart card to see what type of
certificate you have, ie. DOD Class 3 CA-6, or DOD EMAIL CA-12, etc.
2. Look in the X509Certificates and verify that you have these type of
certificates. If you don't you can get the certs at
https://eportal.ctnosc.army.mil then follow the link for downloading
"Individual certificates for CAs 3 through 14 are also available at
https://crl.chamb.disa.mil" Choose the type of certificate, make sure the
certificate has a .cer extension. Put the certificate in the
X509Certiificates.
3. I originally copied my certificates from the smart card into the login
keychain. I would get the prompt to select the certificate and the DOD
EMAIL certificate was rejected. I then removed these certificates, I didn't
get the pop-down menu, and things worked.
Art
___________________________
Art Gelvin
Engineering Technician
Cold Regions Research and Engineering Laboratory
P.O Box 35170
Ft. Wainwright, AK 99703-0170
(907) 353 - 5167
(907) 378 - 5556 (Cell)
(907) 353 - 5142 (Fax)
email@hidden
On 12/20/06 10:35 AM, "Paul Nelson" <email@hidden> wrote:
> With ADmitMac for CAC, you get Kerberos credentials for your domain when you
> log in using a CAC. This will then allow Safari to use Kerberos when it
> connects using OWA (Be sure you know the correct URL).
>
> http://www.thursby.com/products/afc.html
>
> Paul Nelson
> Thursby Software Systems, Inc.
>
>
> on 12/20/06 1:19 PM, Cardona, Cris Mr Nortel Government Solutions at
> email@hidden wrote:
>
>> Has anyone resolved the issue with accessing CAC enabled OWA from a MAC
>> using the Safari browser? I know the Safari browser defaults to the
>> keychain list for the certs. When I try to access our OWA, Safari
>> prompts me to select which certificate I want to use for authentication.
>> Safari doesn't list all the certs in the Keychain list for my smart card
>> at the prompt. I can see all the certs on the smart card within the
>> Keychain utility but Safari doesn't list the DOD E-mail CA I need to
>> authenticate. Does anyone have a fix for this problem?
>>
>> Thanks!
>> Cris
>>
>>
>>
>> -----Original Message-----
>> From: fed-talk-bounces+cris.cardona=email@hidden
>> [mailto:fed-talk-bounces+cris.cardona=email@hidden] On
>> Behalf Of Paul Nelson
>> Sent: Tuesday, December 19, 2006 9:55 AM
>> To: Dave Hale; Apple Fed Talk
>> Subject: Re: [Fed-Talk] Getting public certs out of Exchange
>>
>> You might want to refer to
>> http://www.microsoft.com/technet/prodtechnol/exchange/Guides/E2k3MsgSecG
>> uide/1eb16a4d-9dea-48e9-b56a-c2df79fd06e0.mspx?mfr=true
>>
>> Certs for users are available from Active Directory if the user has
>> autoenrolled, or has used Outlook. There are two forms. The best one
>> is to query the 'userCertificate' attribute. This results in an array
>> of X509 v3 encoded certs. The second is to query userSMIMECertificate.
>> This results in a single CMS (PKCS#7) encoded object that contains the
>> user's certs (signing and encrypting).
>>
>> New software should always look for userCertificate first, then look for
>> userSMIMECertificate. Microsoft considers userCertificate to be the
>> preferred attribute.
>>
>> If you are asking about NTAuth certificates (what certificates are
>> trusted by a domain for authentication), these are also stored in Active
>> Directory but are not usually available via LDAP. Domain members
>> receive these using group policy.
>>
>> Paul Nelson
>> Thursby Software Systems, Inc.
>>
>>
>> on 12/19/06 6:58 AM, Dave Hale at email@hidden wrote:
>>
>>> Has anyone developed a process (other than manually, one at a time) to
>>
>>> get public keys out of an Exchange server and import them into
>>> Keychain?
>>>
>>> Is it possible for Entourage to access the DOD LDAP and pull certs?
>>>
>>> Begin forwarded message:
>>>
>>>> Is there anyway to import a CSV that includes certs into either
>>>> Entourage or Address Book? Our PC guys are trying to find an easy way
>>
>>>> to export all the information from the Exchange server (address +
>>>> certs) and import it on the Mac instead of LDAP since this still
>>>> doesn't work. Any suggestions?
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>>
>>
>>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> rmy.mil
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden