Re: [Fed-Talk] Leopard vs FileVault Keychains
Re: [Fed-Talk] Leopard vs FileVault Keychains
- Subject: Re: [Fed-Talk] Leopard vs FileVault Keychains
- From: "Shawn A. Geddis" <email@hidden>
- Date: Sun, 20 Jan 2008 22:56:33 -0500
On Jan 20, 2008, at 9:04 PM, William G. Cerniuk wrote:
We have many distribution master keychains (DMKs) in the VA now.
This is the FileVault Master keychain after it has been modified to
not include the private key. the DMK only contains the certificate
portion of the pair and is thus ready for distribution to users for
use by the system to create FileVaulted accounts.
Anyway, the modified FileVaultMaster.keychain (DMK) file shows empty
in the Leopard Keychain Access. Under Tiger the DMK shows the
certificate item as expected.
The same DMK under Leopard and under Tiger allows users to activate
FileVault on their accounts and providing us with the ability to
recover those FileVaulted accounts in an emergency. Thus the
problem with our inability to see the contents is not a problem with
the file but seems to be a problem with the Keychain Access
application specifically.
Anyone else using this method of splitting the keychain and seeing
similar?
Best Regards,
Wm. Cerniuk
William,
Two quick things...
• Be care about using references like "splitting the keychain", since
it is a bit misleading. What you have done is follow the standard
best practices for deploying FileVaultMaster in large organizations
which includes distributing a FileVault Keychain with only the
Certificate (which include the Public Key).
* Be sure that when you are viewing your DMK that you are also
selecting the "All Items" or "Certificates" 'Category' in Keychain
Access. If by chance you are selecting the "My Certificates"
'Category' it would not display then, since the Private key would be
missing -- Identity is made up of both the Public Certificate and
corresponding Private Key.
If all is followed above and you still do not see the Certificate in
the FileVaultMaster Keychain, I would suggest you file a radar for
this. http://bugreport.apple.com/
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden