Re: [Fed-Talk] CACs and DoD certs on Macs
Re: [Fed-Talk] CACs and DoD certs on Macs
- Subject: Re: [Fed-Talk] CACs and DoD certs on Macs
- From: David Mueller <email@hidden>
- Date: Wed, 21 Nov 2012 11:18:59 -0800
- Thread-topic: [Fed-Talk] CACs and DoD certs on Macs
On 11/21/12 9:55 AM, "Shawn Geddis" <email@hidden> wrote:
> On Nov 13, 2012, at 1:24 PM, John Oliver <email@hidden> wrote:
> I'm also seeing oddities with the cert for CA-21 On my iMac, CA-21s cert is
> serial number 46 and shows up as revoked, even though it isn't. On my Windows
> machine, it's serial number 4c and works OK. On a coworker's iMac, he has
> serial number 76, but does NOT have SystemCACertificates loaded in his
> keychain, yet has no problem validating certificates.
>
> The SystemCACertificates.keychain is an Apple provided Keychain with no
> special powers other than it is pre-populated with all of the Current/Known
> DoD Intermediate Certificates. It makes it quite easy for Users/Admins to
> simply 'Add Keychain..." to the list than it is to download and import all of
> those certificates each a system gets a clean install.
>
> The valid "DOD CA-21" Intermediate CA Certificate (valid Jan 26, 2009 to Jan
> 25, 2015) with Sig Alg SHA-1 with RSA Encryption has serial number '76'
> decimal (or '4C' hexadecimal). If you have an updated certificate with the
> modifications to the Sig Alg being SHA-256 with RSA Encryption than it might
> be the '46' you refer to. I do not know personally because I have not seen it
> yet.
I did some digging on this and found that some web servers were presenting a
cert signed by "DOD CA-21" with serial number 46. When OCSP or CRL checking
is enabled in Keychain Access, Safari reports an error that the certificate
is revoked.
I then went and downloaded the CRL referenced in the certificate and parsed
it with OpenSSL. The CRL indicates that the certificate is indeed revoked
(serial number 2E). The difference is that OpenSSL prints the serial numbers
in hex, while Safari prints them in decimal. 0x2E = 46.
The cert has a revocation date of February 20, 2009, but at least one of the
web servers that has this issue has a cert issued on January 25, 2010. Not
sure what's going on there. Either DoD was issuing certs with a revoked CA,
or something is chaining them incorrectly.
> On Nov 13, 2012, at 1:58 AM, Sean Baker <email@hidden> wrote:
> Is the non-root DoD Root CA 2 explicitly trusted in her keychain?
>
> Sean: Not sure where this is coming from. the "DoD Root CA 2" Root CA
> Certificate is shipped as part of the System Roots Keychain and is inherently
> trusted without trust modifications.
>
> Be extra careful here when you are referring to certificates simply by their
> Common Name as the only form of unique identifier. There is also a "DoD Root
> CA 2" Intermediate CA Certificate issued by the "DoD Interoperability Root CA
> 1" CA. That means that there are two certificates issued by the DoD with the
> the exact same CN with one serving as a Root CA Certificate and the other
> serving as an Intermediate CA Certificate.
I still use Entourage 2008, since NMCI is still using a version of Exchange
that's not compatible with the latest Outlook for Mac.
I have problems sporadically. It happens whenever I read a signed email from
someone and for whatever reason, the signing cert gets chained not to the
root "DoD Root CA 2" certificate, but to the "DoD Root CA 2" Intermediate CA
Certificate. This latter certificate ends up chaining back to this one:
> "DoD Interoperability Root CA 1" (not currently populated by Apple in any
> keychain)
> CN = "DoD Interoperability Root CA 1"
> Issuer = "SHA-1 Federal Root CA"
> SNB = 606
> Signature Alg = SHA-1 with RSA Encryption ( 1.2.840.113549.1.1.5 )
> Certificate Authority ? = YES
> Intermediate CA Cert
> "This certificate cannot be used (unrecognized critical extension)"
Once that happens, Entourage's ability to authenticate certificates
correctly dies. It claims that it can't verify my own certificate whenever I
attempt to send a signed email (though it will still let me send it). It
can't verify the SSL certificate being presented by the OWA server. It can't
verify any other signed emails, even from people who normally don't cause
the problem. The workaround I use is to quit Entourage, open Keychain
Access, and delete the Microsoft_Intermediate_Certificates keychain
(references and files). Then all is well, until the next time I read a
signed email from someone who's certificate chains back up the wrong way.
Whether or not anyone has reported this through formal bug reporting
channels to either Apple or Microsoft is something I don't know.
- David
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden