Re: [Fed-Talk] CAC SSL error
Re: [Fed-Talk] CAC SSL error
- Subject: Re: [Fed-Talk] CAC SSL error
- From: "Shawn A. Geddis" <email@hidden>
- Date: Fri, 30 Jan 2009 10:23:08 -0500
On Jan 30, 2009, at 9:41 AM, Miller, Timothy J. wrote:
On 1/29/09 11:57 PM, "Arendt Christopher D 1st Lt AFIT/ENS"
<email@hidden> wrote:
When I try to visit the address, Safari shows the server
certificate, says it
can¹t verify the identity of the server and asks if I still want to
continue.
Yes, but does it say why? You may have gaps in your trust chain;
there are
new DoD CAs (19 & 20) online that Apple may not have pushed yet.
You can
install these yourself.
Apple includes all of the DoD intermediates all the way up to and
including CA-20
Add the following Keychain in Keychain Access
via Keyboard: <shift><command><A>
via Menu: File > Add Keychain...
Select the following file:
/System/Library/Keychains/SystemCACertificates.keychain
I click ³continue² and I¹m prompted for my PIN.
But when I enter the PIN, the reader light flashes a few times,
then Safari
says it couldn¹t establish a secure connection to the server.
Enabling the Trust Path (via enabling the pre-populated keychain
containing DoD Intermediates) as noted above should correct your
problem, but you can also specifically Trust a Certificate (Leaf,
Intermediate, Root) even though you may not have the complete chain
locally available. This is a reference to the ability to define the
"Trust Anchor" at the point of desire/choice.
- Shawn
________________________________________
Shawn Geddis T (703) 264-5103
Security Consulting Engineer C (703) 623-9329
Apple Enterprise Division email@hidden
11921 Freedom Drive, Suite 600, Reston VA 20190-5634
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden