Re: [Fed-Talk] How does OS X choose which intermediate cert to use in chain?
Re: [Fed-Talk] How does OS X choose which intermediate cert to use in chain?
- Subject: Re: [Fed-Talk] How does OS X choose which intermediate cert to use in chain?
- From: "Martin M. Lindner" <email@hidden>
- Date: Wed, 05 Dec 2012 12:49:19 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] How does OS X choose which intermediate cert to use in chain?
Jason,
Welcome to the world of cross-certification and the federal bridge:(
This is not just an Mac OS X problem. Most OSs find the first certificate with a matching CN in the chain/store. If it happens to be the one you want, great, if not your out of luck. The DOD OSD PKI office is well aware of the issues.
One fix, which seems to work for most people is to delete the cross-certificated entries like "Common Policy" and trusting the "real" roots like DOD ROOT CA 2.
Marty
On Dec 5, 2012, at 11:29 AM, "Levine, Jason (NIH/NCI) [E]" <email@hidden> wrote:
> Does anyone here know how OS X chooses which intermediate certificate it uses when it's validating a certificate chain? Specifically, if a cert has issuer "SuperSecure CA", and my keychain contains two different certs with the CN "SuperSecure CA", what is OS X's methodology for choosing which of these two certs is the proper issuer?
>
> Briefly: my OS X 10.8 keychain contains multiple certs with the CN "Federal Common Policy" -- and due to Mail.app's behavior of auto-importing any certs it finds in an email, and a sender which once included a signature cert chain which has a "bad" Federal Common Policy cert in it, I keep getting this other cert added to my keychain. This "bad" cert isn't self-signed like the current Federal Common Policy cert, but rather was issued by "Federal Bridge CA" and leads up to a CertiPath cert that has an "unrecognized critical extension" and thus is untrusted by OS X. Once this "bad" Federal Common Policy is added to my keychain, OS X immediately chooses it as the issuer up the chain for ALL Federal PKI certs -- meaning most of the SSL certs at the NIH, all the certs on PIV cards, etc. -- and stops trusting all of these. Each time, I have to go into the keychain, delete this rogue Federal Common Policy cert, and then be OK until the next time Mail.app caches the email that has that "bad" cert.
>
> What makes OS X choose this bad Federal Common Policy cert over the good one that's in System Roots (and system and login -- I have three copies of the good one, all with custom trust settings saying Always Trust)?
>
> (Of note, I'm happy to share the "bad" one with anyone who's interested -- it's interesting, in addition to the issuer difference described above, it has an expiration date in 2014 rather than the 2030 date of the current good one.)
>
> Jason
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
Martin Lindner
Principal Engineer / Information Assurance Manager
Software Engineering Institute
Carnegie Mellon University
Office: +1 412 268-3107
Email: email@hidden
Email: email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden