• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] safari and the right cac certificate
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] safari and the right cac certificate

  • Subject: Re: [Fed-Talk] safari and the right cac certificate
  • From: "Timothy J. Miller" <email@hidden>
  • Date: Fri, 18 Apr 2008 09:19:54 -0700
Lucena, Angelito L CIV NSWCCD W. Bethesda, 7220 wrote: 
is there any way to force safari to pick the right cac certificate??
some of my restricted websites are failing since safari doesn't appear to
be presenting the correct choice out of more than one possible certificate.

What's the "right certificate"? From a pure X.509 perspective, both the email signing and ID certs are valid for authentication.

The issue is that some websites don't return an SSL error when they reject the ID cert--they eat the SSL error and provide an HTTP error instead. Safari sees this as the client cert was accepted, so it never triggers the code that asks the user to select a cert.

It would be nice if the website would do the right thing--i.e., return the SSL error--but since that's not under your control you still have to deal.

On Leopard you can circumvent this by setting an identity preference. Open Keychain Access, select your CAC keychain, and right click your *email* certificate. Select "Set and identity preference" and fill out the settings for the website in question. Relaunch Safari and you should be good to go.

You can do this on Tiger as well, but you need a separate tool. There was an Applescript app floating around to do this but I've lost track of it.

ultra annoying since IE presents a choice when i hit the same website
while running under parallels and XP.

Speaking from the "have to run the PKI helpdesk" side of things, IE's forced choice actually causes more calls to the helpdesk, since the UI doesn't distinguish between email and ID certs very well.

-- Tim

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • [Fed-Talk] ars technica on securing your Mac
      • From: Todd Heberlein <email@hidden>
References: 
 >[Fed-Talk] safari and the right cac certificate (From: "Lucena, Angelito L CIV NSWCCD W. Bethesda, 7220" <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] Re: Getting DoD root certificates
  • Next by Date: [Fed-Talk] ars technica on securing your Mac
  • Previous by thread: [Fed-Talk] safari and the right cac certificate
  • Next by thread: [Fed-Talk] ars technica on securing your Mac
  • Index(es):
    • Date
    • Thread