All-
It’s been a while since I’ve looked at this. Back in the day, the challenge was configuring the lookup for the searches.
With Outlook, we add an address book which is the LDAP search for the certificates. Of course, Outlook will look in active directory with an AD bound system.
If your system has certificates in the local keychain, both Apple Mail and Outlook will use them first. With Apple Mail, the keychain has to be configured to search the directory for certificates.
For encrypting and signing messages, you need to tell Apple Mail or Outlook which certificate to use. With the PIV badge, that keychain appears when the badge
is in the reader. So, I’m wondering if you’ve selected the correct certificates.
I am not surprised you can sign, as you digitally sign a message with your private key, and it is verified with your public key, so all you need is your PIV
badge. (The recipient has to have your public key to verify your signature.) When you encrypt, you have to look up the other person’s public key. If the encryption button is greyed out, then you don’t have a “valid” encryption key selected.
One other caveat, Apple is very close to the RFC on S/MIME. Case and punctuation in the Email Address and DN matter.
Lee
From: fed-talk-bounces+neely1=email@hidden [mailto:fed-talk-bounces+neely1=email@hidden]
On Behalf Of email@hidden
Sent: Thursday, March 13, 2014 12:19 PM
To: Levine, Jason (NIH/NCI) [E]
Cc: email@hidden
Subject: Re: [Fed-Talk] Encrypted Apple Mail w/ PIV
We have been having similar discussions at work with regards to moving OSx users to S/MIME-encrypted enterprise email. Any help on this would be greatly appreciated.
On Thu, Mar 13, 2014 at 3:12 PM, Levine, Jason (NIH/NCI) [E] <email@hidden> wrote:
Walter, I *literally* was about to post this same question — I've struggled over the past few years to figure out if there's a way to get this to work properly. I'm now faced with an absolute, ironclad mandate to move a set of OS X users
over to S/MIME-encrypted enterprise email in the next month, and this one issue is literally my biggest obstacle.
Any advice would be appreciated!
Jason Levine
Center for Cancer Research, National Cancer Institute
> We have our PIV certs populated in AD. I have the OS X Smartcard Services installed and enabled on an OS X 10.9.2 laptop bound to AD. I can successfully log into OS X with my PIV card. I can create new email messages with click the digital signature button
to successful send digitally signed emails. I can’t click the encryption button. It is is grayed out.
>
> I read in Apple Mail Help that I need the personal certificate for each recipient in my Keychain to send them encrypted messages. Can Apple Mail not get those certificates from AD?
>
> Walter
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden