Prior to Mac OS X 10.5, it was necessary to enable the X509Certificates keychain (add the file-based keychain to the keychain list).
Mac OS X 10.5 user Experience:
Leopard's Trust Model changed from previous versions of Mac OS X and along with it the corresponding Keychain names and usage.
Mac OS X 10.4 Keychains and description
1) X509Certificates /System/Library/Keychains/X509Certificates Pre-populated Intermediates
2) X509Anchors /System/Library/Keychains/X509Anchors Trusted Anchors (Required)
Mac OSX 10.5 Keychains and description
1) SystemCACertificates /System/Library/Keychains/SystemCACertificates Pre-populated Intermediates
2) System Roots /System/Library/Keychains/SystemRootCertificates Immutable Trusted Roots
This SystemCACertificates Keychain has all of the
DoD Intermediate Certificates up to and including #1 thru #18:
CA-XX
DOD EMAIL CA-XX
The new System Roots keychain has all of the corresponding
US Federal Trusted Roots:
Common Policy FBCA - US Federal Government
DoD Class 3 Root CA DoD Root CA for CA-1 ... CA-10
DoD PKI Med Root CA
DoD Root CA 2 DoD Root CA for CA-11... CA-20
The additional CA-19 & CA-20 will be added in a subsequent Software Update.
Mac OS X 10.5's Trust Model allows for the setting of trust to be assigned to Any certificate in the chain.
Trusted Root <--> Intermediate(s) <--> Leaf Certificate
This means that it is no longer necessary for Trusted Root CA Certs to be in any specific keychain. When importing a new Root, you will be asked wether you want to trust it for a particular user or all users. If you trust for all users, it will require admin credentials and will also import the cert into the System Keychain.
This is nicely covered in my WWDC 2007 Presentation:
514 - Understanding PKI Certificate Management
- Shawn