I am hoping to clear up some of the confusion, add to what Paul said and correct some of the information shared in this last message......
On Jul 16, 2006, at 11:51 AM, Paul Nelson wrote:
You should ask the help desk to export the root certs using ASN1 encoding (.cer). They can e-mail them to you, and you can install them directly on the Mac by double clicking.
Mac OS X 10.4 Help: Adding certificates to a keychain
Built-in Mac OS X Help Application link to "Certificate"
Link to the "Adding Certificates to the Keychain"
KBase Article
These types of certificates are recognized by Keychain:
- X.509 DER encoded - extension .cer or .crt
- PKCS12 DER encoded - extension .p12 or .pfx
- PKCS7 DER or PEM encoded - extension .p7r .p7b .p7m .p7c, or .p7s
If you can’t get real ASN1 encoded cert files, and all you have is the .exe, I would install the certs from the .exe file on the PC. Once the certs are installed on the PC, you can use the Certificates MMC plug-in to export them. You only need to do this once to get the “.cer” files. You can install the .cer files on as many Macs as you need. Now export them to get real cert files.
Then move the .cer files to the Mac and install them by double clicking.
Good suggestion for those bringing things over from Windows to the Mac!
They may be installed in the user’s keychain or in X509Anchors. If you put them in X509Anchors, they will be shared among all the Mac users.
This is not correct. The X509Anchors Keychain is a 'special' keychain in that it contains ALL of the Trusted Root CA Certificates that are used for trust validation of certificates by the OS. You should ONLY ever put Trusted Root CA Certificates into X509Anchors because ALL other certificates imported into it will be ignored. If the Certificate you are importing is an Intermediate, it should NOT be imported into the X509Anchors, but rather any Keychain created/managed by the user which would also include the pre-populated X509Certificates. The X509Anchors is the Trusted Root CA Certificates for ALL users on the machine - no sharing is needed or implied.
To make sure you have the root certs installed and working, quit out of the Keychain Access after the install (there is a bug that restarting works around).
Good Point. Anytime you make alterations to shared keychains or import new certs into the system keychains (i.e. X509Anchors), you should quit and re-launch Keychain Access for now. Working to resolve that issue.
Then insert your CAC and launch Keychain Access. Make sure that the button in the lower left of the Keychain Access window says “Hide Keychains”.
Just to be clear, the need is to display the keychains in the upper left corner. There is a button in the lower left, as Paul indicates, and it toggles between "Show Keychains" and "Hide Keychains" indicating what "would happen" if you click on the button. So, when it says "Hide Keychains", it means that they are already being displayed (you had previously clicked on it when it said "Show Keychains".
Your CAC will appear in the upper left list. Click on the CAC keychain (named “smart card #nn).
Default name used for a CAC is "smart card #n". This can easily be changed to whatever name you would like that card to appear as by following the steps I noted in previously messages:
$ sudo -s (This will prompt you for password and give you root privs)
$ cd /private/var/db/TokenCache/tokens (This will change the current directory to the token cache)
Now, IF you have only used one Smart Card on your system the next step will be very easy.
IF you have used more than your current Smart Card, look on the back/back of your Smart Card
and take note of the number stamped on the card that looks like the following:
2050-5000-5076-301D-2F63
This number signifies the Card identifier and will be used as part of the Smart Card cache folder.
The token cache folders (directories) have the name constructed as such:
com.apple.tokend.cac - dot notation for the tokend identifier
: - "colon" separator
CAC - Name of the tokend which handles this card
- - "dash" separator
2050-5000-5076-301D-2F63 - 20 digit identifier of the Smart Card
So, the whole directory would look like this:
com.apple.tokend.cac:CAC-2050-5000-5076-301D-2F63
With the complete path now of:
/private/var/db/TokenCache/tokens/com.apple.tokend.cac:CAC-2050-5000-5076-301D-2F63
The contents of this directory are:
drwx------ 3 root user 102 Apr 13 21:17 Cache
-rw-r--r-- 1 root user 14 Apr 13 21:17 PrintName
-rw-r--r-- 1 root user 3 Apr 13 21:17 SSID
drwx------ 2 root user 68 Apr 13 21:17 Work
Use editor of choice to modify the "PrintName" file to whatever text you would like with some limits. Keep it relatively short and do not use special characters.
Then click on the middle cert (the e-mail cert).
Which cert it is depends on the sorting order you have chosen to display things within your Keychain Access Window. CAC has three certificates. (1) Identity, (2) Email Signing and (3) Email Encryption.
The cert status should show that the cert is valid. The Mac will do a basic validation of your certs (see if you are trusting the root and intermediate certs).
The reference to "basic validation" here is not exactly correct. It is if you have not set the preferences for Certificates in the Keychain Access->Preferences->Certificates panel. You setup your desired processing for CRL / OCSP or both for "OFF", "Best Attempt", "Require if Cert Indicates", and "Require for All Certs".
Is a CRL or OCSP response cached ?
Yes indeed!
• CRLs are cached in a keychain in /var/db/crls/crlcache.db
• OCSP responses are cached in /var/db/crls/ocspcache.db
Is there a way to remove the cached CRL to force the Mac to retrieve one?
% /usr/bin/crlrefresh r
...does an update of all the CRLs in the cache, refreshing them with up-to-date CRLs if need be. Note that cached CRLs are not used if they are stale, so if you're doing CRL verification (per Keychain Access prefs) and you don't see any network activity when you verify a cert, then cached CRLs are most likely being used.
You can inspect the contents of the CRL cache via
% certtool y k=/var/db/crls/crlcache.db
If you are just using the CAC for e-mail, you probably don’t need the Keychain “Certificate Revocation List” preference to “Off”. Getting CRLs from most DoD certificate authorities takes a while (perhaps as long as one to two minutes).
Many of the CRLs are extremely large files especially considering CRLs consist of only the IDs of the revoked certificates.
OCSP does not apply to CAC, as the CAC certs do not contain any OCSP information, and the Mac can’t be manually configured to use an OCSP responder.
OCSP Service Locator is referenced via AIA - Authority Information Access in a Certificate. It may be true that certificates issued for CAC still do not contain AIA references, but not everyone on this list uses a CAC. Also, CAC applets will be replaced in the 'future' with a PIV compliant applet.
Mac OS X enforces the CRL Distribution Points / OCSP Service Locators within the certificate as they are issued and signed on the cards and according to your preference settings for Certificates as noted earlier.