Re: [Fed-Talk] safari and the right cac certificate
Re: [Fed-Talk] safari and the right cac certificate
- Subject: Re: [Fed-Talk] safari and the right cac certificate
- From: "Timothy J. Miller" <email@hidden>
- Date: Fri, 18 Apr 2008 09:19:54 -0700
Lucena, Angelito L CIV NSWCCD W. Bethesda, 7220 wrote:
is there any way to force safari to pick the right cac certificate??
some of my restricted websites are failing since safari doesn't appear to
be presenting the correct choice out of more than one possible certificate.
What's the "right certificate"? From a pure X.509 perspective, both the
email signing and ID certs are valid for authentication.
The issue is that some websites don't return an SSL error when they
reject the ID cert--they eat the SSL error and provide an HTTP error
instead. Safari sees this as the client cert was accepted, so it never
triggers the code that asks the user to select a cert.
It would be nice if the website would do the right thing--i.e., return
the SSL error--but since that's not under your control you still have to
deal.
On Leopard you can circumvent this by setting an identity preference.
Open Keychain Access, select your CAC keychain, and right click your
*email* certificate. Select "Set and identity preference" and fill out
the settings for the website in question. Relaunch Safari and you
should be good to go.
You can do this on Tiger as well, but you need a separate tool. There
was an Applescript app floating around to do this but I've lost track of it.
ultra annoying since IE presents a choice when i hit the same website
while running under parallels and XP.
Speaking from the "have to run the PKI helpdesk" side of things, IE's
forced choice actually causes more calls to the helpdesk, since the UI
doesn't distinguish between email and ID certs very well.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden