Re: [Fed-Talk] Forcing Safari to use Email Cert
Re: [Fed-Talk] Forcing Safari to use Email Cert
- Subject: Re: [Fed-Talk] Forcing Safari to use Email Cert
- From: Timothy J Miller <email@hidden>
- Date: Mon, 12 May 2008 08:41:22 -0500
On May 9, 2008, at 10:40 PM, Dan Morrison wrote:
I am trying to access Outlook Web Access on Leopard, and I'm 99%
sure that it is not working because Safari is using my identify cert
instead of my email cert. I've imported the root CAs into my
keychain, and all 3 CAC certs show up in Keychain as valid. I've
gone into the trust settings for the email certs, and set them
trusted for all uses. I've gone into the identify cert and set it
not trusted for all uses. OWA still does not work. When I go to
the my.af.mil site (which uses the identity cert), it still works,
which leads me to believe that all my trusting and not trusting
didn't do a whole lot. How can I force Safari not to use the
identity cert for a particular site (or at all)?
Set an identity preference on your email signing cert. Right click on
it in Keychain, select "New Identity Preference" and fill in the
dialog for your OWA site.
Alternatively, update your account's altSecurityIdentifiers attribute
in Active Directory. You'll either need an admin or need to run LEAP
from a domain workstation.
As an aside, why can't Apple modify Safari to toss up a dialog and
let you choose a cert for yourself? Does anyone know the rationale
behind hiding this decision from the user?
It does, but only *after* an SSL error is returned if the *first*
choice doesn't work. Some OWA installations--particularly in the DoD--
hide the SSL error and return an HTTP error instead. This is user-
friendly but browser-unfriendly; the browser doesn't know the cert was
the problem, so can't prompt the user to select a different one.
-- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden