• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] mail uses old x.509 certificate
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] mail uses old x.509 certificate

  • Subject: Re: [Fed-Talk] mail uses old x.509 certificate
  • From: Paul Derby <email@hidden>
  • Date: Sun, 8 Mar 2009 11:41:52 -0400
Shawn,

Thanks for the info.  We are in total agreement as to how what your described works, so I don't think there are any misunderstandings, but a mystery that must be solved.

We learned years ago that embedded email addresses are case sensitive.  That was the first thing I checked when the match didn't occur.  The email address cases do match.

However, when I look at the certificate by clicking on the check mark next to the email address in the recepient's Address Book record, an expired cert is displayed.  Mail seems to get this same cert.

I can't find this cert on any keychain displayed by Key Chain Access.  I'll look carefully again and again.  I am not familiar with the "security" terminal command.  I will use that, too, to see if use of that UNIX command can help solve this mystery.

Paul

-- 
Paul Derby
Chief Enterprise Architect
supporting BioWatch Systems Program Office as IT Lead
Department of Homeland Security
email@hidden (preferred)
email@hidden
703-647-2745

On Mar 6, 2009, at 7:58 PM, Shawn A. Geddis wrote:

Hoping to clear up some misunderstandings here...  Comments inline below...


On Mar 5, 2009, at 1:21 PM, Paul Derby wrote:
We have one user that needs to send encrypted email to another user at Los Alamos Labs.

The Los Alamos user's certificate expired.  He sent a new, signed email resulting in the new certificate going to the keychain.

The keychain shows only the new certificate.

Good so far... 

As you will see later on, I am assuming that the case of the local part of the email address has a different case than what you are searching for.....

 Address Book shows the expired certificate.

Address Book only displays what the OS provides it.  Address Book does not contain Certs as part of its data store.


Apple Mail finds the expired certificate and won't encrypt because the cert has expired.

Apple Mail is never allowed (by the OS) to utilize any certificate / identity that does not successfully pass the various tests - including expiration.

The old certificate does not show up anywhere in the keychain.

If the certificate is being used then is MUST be in ONE of the keychains.


Is there somewhere else that Mail and Address Book check for certs?  

Mail, Safari, VPN, 802.1X, Address Book, etc all make requests to the OS for the existing of Certificates.  No Application stores certificates on their own -- Mac OS X is an OS-based PKI not an Application-based PKI.


How is it that all certs don't appeal in the keychain?

All certs must be in one of the available keychains.  If you are not finding it, then there is an issue with your search criteria or an issue with the keychain.  

I ran keychain firstaid and no errors are found.

Since you ran "Keychain First Aid" and no errors were reported, all the keychains should be fine from a structural standpoint.


Any idea where to look for the invisible cert?

No such thing as an invisible certificate on Mac OS X.  You just need to locate the certificate among your (probably) large number of Keychain Items.


Is there some sort of GREP command where you can find all certs?

The command to use for all of this is:

/usr/sbin/security

For example:

$ security -v find-certificate -e email@hidden 

Keep in mind that the search for email address is CASE SENSITIVE.  
That means that if I am searching for "email@hidden", but the certificate has "email@hidden" then my search will not turn up any results.

More specific help on the command for searching for email address can be obtained by issuing the -h option:

$ security -h find-certificate

Usage: find-certificate [-a] [-c name] [-e emailAddress] [-m] [-p] [-Z] [keychain...]
    -a  Find all matching certificates, not just the first one
    -c  Match on "name" when searching (optional)
    -e  Match on "emailAddress" when searching (optional)
    -m  Show the email addresses in the certificate
    -p  Output certificate in pem format
    -Z  Print SHA-1 hash of the certificate
If no keychains are specified to search, the default search list is used.


 Spotlight doesn't find any certs.

Spotlight does not provide any feedback on Keychain Items.  Keychains are not searched by Spotlight.

Use the security command as noted above.


Thanks for any help in locating this expired cert so we can remove it from the machine and so that Mail will allow encryption to this user again.

Paul

--
Paul Derby
Chief Enterprise Architect
supporting BioWatch Systems Program Office as IT Lead
Department of Homeland Security
email@hidden (preferred)
email@hidden

- Shawn
_____________________________________________________
Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise




 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] mail uses old x.509 certificate
      • From: Richard Murphy <email@hidden>
References: 
 >[Fed-Talk] mail uses old x.509 certificate (From: Paul Derby <email@hidden>)
 >Re: [Fed-Talk] mail uses old x.509 certificate (From: "Shawn A. Geddis" <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] mail uses old x.509 certificate
  • Next by Date: Re: [Fed-Talk] mail uses old x.509 certificate
  • Previous by thread: Re: [Fed-Talk] mail uses old x.509 certificate
  • Next by thread: Re: [Fed-Talk] mail uses old x.509 certificate
  • Index(es):
    • Date
    • Thread