Re: [Fed-Talk] mail uses old x.509 certificate
Re: [Fed-Talk] mail uses old x.509 certificate
- Subject: Re: [Fed-Talk] mail uses old x.509 certificate
- From: Richard Murphy <email@hidden>
- Date: Sun, 08 Mar 2009 10:27:46 -0700
Make sure that in Keychain Access the setting for "Hide Expired
Certificates" (in the View menu) is not enabled.
- murf
On Mar 8, 2009, at 8:41 AM, Paul Derby wrote:
Shawn,
Thanks for the info. We are in total agreement as to how what your
described works, so I don't think there are any misunderstandings,
but a mystery that must be solved.
We learned years ago that embedded email addresses are case
sensitive. That was the first thing I checked when the match didn't
occur. The email address cases do match.
However, when I look at the certificate by clicking on the check
mark next to the email address in the recepient's Address Book
record, an expired cert is displayed. Mail seems to get this same
cert.
I can't find this cert on any keychain displayed by Key Chain
Access. I'll look carefully again and again. I am not familiar
with the "security" terminal command. I will use that, too, to see
if use of that UNIX command can help solve this mystery.
Paul
--
Paul Derby
Chief Enterprise Architect
supporting BioWatch Systems Program Office as IT Lead
Department of Homeland Security
email@hidden (preferred)
email@hidden
703-647-2745
On Mar 6, 2009, at 7:58 PM, Shawn A. Geddis wrote:
Hoping to clear up some misunderstandings here... Comments inline
below...
On Mar 5, 2009, at 1:21 PM, Paul Derby wrote:
We have one user that needs to send encrypted email to another
user at Los Alamos Labs.
The Los Alamos user's certificate expired. He sent a new, signed
email resulting in the new certificate going to the keychain.
The keychain shows only the new certificate.
Good so far...
As you will see later on, I am assuming that the case of the local
part of the email address has a different case than what you are
searching for.....
Address Book shows the expired certificate.
Address Book only displays what the OS provides it. Address Book
does not contain Certs as part of its data store.
Apple Mail finds the expired certificate and won't encrypt because
the cert has expired.
Apple Mail is never allowed (by the OS) to utilize any
certificate / identity that does not successfully pass the various
tests - including expiration.
The old certificate does not show up anywhere in the keychain.
If the certificate is being used then is MUST be in ONE of the
keychains.
Is there somewhere else that Mail and Address Book check for certs?
Mail, Safari, VPN, 802.1X, Address Book, etc all make requests to
the OS for the existing of Certificates. No Application stores
certificates on their own -- Mac OS X is an OS-based PKI not an
Application-based PKI.
How is it that all certs don't appeal in the keychain?
All certs must be in one of the available keychains. If you are
not finding it, then there is an issue with your search criteria or
an issue with the keychain.
I ran keychain firstaid and no errors are found.
Since you ran "Keychain First Aid" and no errors were reported, all
the keychains should be fine from a structural standpoint.
Any idea where to look for the invisible cert?
No such thing as an invisible certificate on Mac OS X. You just
need to locate the certificate among your (probably) large number
of Keychain Items.
Is there some sort of GREP command where you can find all certs?
The command to use for all of this is:
/usr/sbin/security
For example:
$ security -v find-certificate -e email@hidden
Keep in mind that the search for email address is CASE SENSITIVE.
That means that if I am searching for "email@hidden", but the
certificate has "email@hidden" then my search will not turn up
any results.
More specific help on the command for searching for email address
can be obtained by issuing the -h option:
$ security -h find-certificate
Usage: find-certificate [-a] [-c name] [-e emailAddress] [-m] [-p]
[-Z] [keychain...]
-a Find all matching certificates, not just the first one
-c Match on "name" when searching (optional)
-e Match on "emailAddress" when searching (optional)
-m Show the email addresses in the certificate
-p Output certificate in pem format
-Z Print SHA-1 hash of the certificate
If no keychains are specified to search, the default search list is
used.
Spotlight doesn't find any certs.
Spotlight does not provide any feedback on Keychain Items.
Keychains are not searched by Spotlight.
Use the security command as noted above.
Thanks for any help in locating this expired cert so we can remove
it from the machine and so that Mail will allow encryption to this
user again.
Paul
--
Paul Derby
Chief Enterprise Architect
supporting BioWatch Systems Program Office as IT Lead
Department of Homeland Security
email@hidden (preferred)
email@hidden
- Shawn
_____________________________________________________
Shawn Geddis - Security Consulting Engineer - Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden