[Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 21
[Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 21
- Subject: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 21
- From: Paul Derby <email@hidden>
- Date: Wed, 28 Jan 2009 15:25:43 -0500
| We've had a long standing bug report where it appears that if a user installs another certificate containing the same email address before the older certificate expires, OS X uses the older instead of the newer certificate. As far as we can tell the user has not control over which unexpired cert can be used or any easy way to purge the certs.
Is there a similar cache for certs on the keychain that can be rebuilt or blown away as there is with the CAC certs?
Hopefully, x.509 cert management and selection will be made user friendly some day.... -- Paul Derby Chief Enterprise Architect supporting BioWatch Systems Program Office as IT Lead Department of Homeland Security 703-647-2745 Date: January 28, 2009 7:59:10 AM EST
Subject: [Fed-Talk] CLEARING CERTIFICATE CACHE (OR WHATEVER)
Had my signature and encryption certificates updated with a new e-mail address and could not figure out why I could not sign mail. Just discovered that the Keychain view of the certificates from the CAC Reader are still showing the older CA-16 certificates with my old e-mail address, etc. I know the certificates have been changed because when I view the certificates on a "blah" Windows system I see the new CA-19 e-mail and encryption certificates. My identity certificate was unchanged so is still a CA-16 certificate and getting into Web Sites requiring that still function.
What do I have to do to force the system to pick up the new certificates from the CAC?
Running 10.4.11.
Mark
Had my signature and encryption certificates updated with a new e-mail address and could not figure out why I could not sign mail. Just discovered that the Keychain view of the certificates from the CAC Reader are still showing the older CA-16 certificates with my old e-mail address, etc. I know the certificates have been changed because when I view the certificates on a "blah" Windows system I see the new CA-19 e-mail and encryption certificates. My identity certificate was unchanged so is still a CA-16 certificate and getting into Web Sites requiring that still function.
What do I have to do to force the system to pick up the new certificates from the CAC?
Running 10.4.11.
Mark
From: "Blaine, Chris CIV SPAWAR SSC PAC, 53232" <email@hidden>
Date: January 28, 2009 8:56:30 AM EST
Subject: Re: [Fed-Talk] CLEARING CERTIFICATE CACHE (OR WHATEVER)
I had the same problem, and finally found a posting in another Apple forum,
Apple-cdsa (
http://lists.apple.com/archives/apple-cdsa/2008/May/msg00003.html) which
gave me the answer.
The answer comes in the last paragraph...
Meanwhile, take a look at /var/db/TokenCache/tokens. There is one directory
in there for each card the system remembers having seen before, named by
whatever identifier the Tokend has assigned the card (the form is token
identifier:card identifier). Remove the card and blow away that directory,
and when you re-insert the card you should get the new contents (because you
removed the place where the Tokend would store its cached data). Note that
if you do this, the system will also think your card is new (never before
seen).
There is a cached copy of my previous tokens, Deleting the referenced
directories, as below resolved my issue, and allowed the new certificates to
be populated into keychain.
sudo rm -r com.apple.tokend.cac:CAC-XXXX-XXXX-XXXX-XXXX
--
Thanks
Chris Blaine
Senior Network Engineer
Network Security Officer
C4I Programs
700 Robbins St, Bldg 2A
Philadelphia, PA 19111
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden