Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: Importing self-signed SSL certificates System
There was a hint posted a bit ago about importing self signed certs. In 10.3, Mail asks you to confirm connecting to an IMAP/POP3 server using self-signed SSL certs. I got annoyed after doing this, and from reading past posts and pages, figured out how to get it to stop asking. Note: This solution is for the more technically inclined.

First, you will need the pem format of certs (for Apache-ssl + courier-imap-ssl). These are coming off of a Debian 3.0 unstable server. You will need root to grab these. After grabbing these pem files, execute the command:
 % openssl x509 -in imapd.pem -inform pem -out imapd.der -outform der
Replace the filenames as necessary. Then you will need to grab the *.der files to your system. FTP or SCP to do the job. I did this for my imap-ssl and Apache so there are two files. Then, following the previous posts, do this:
 % sudo cp /System/Library/Keychains/X509Anchors ~/Library/Keychains/X509Anchors
 % cd ~/Library/Keychains
 % certtool i imapd.pem k=X509Anchors d
Again, replace file names as necessary. The files should add with this message: ...certificate successfully imported. Now, you need to copy the X509Anchors back:
 % sudo cp ~/Library/Keychains/X509Anchors /System/Library/Keychains/
Now, when you load up Mail.app or Safari, you should not get a warning about the integrity of the certs. Awesome.
    •    
  • Currently 2.14 / 5
  You rated: 1 / 5 (7 votes cast)
 
[84,585 views]  

10.3: Importing self-signed SSL certificates | 40 comments | Create New Account
Click here to return to the '10.3: Importing self-signed SSL certificates' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Importing self-signed SSL certificates
Authored by: blugel on Oct 28, '03 11:31:49AM

Great hint, it was rather annoying. However, it left me scratching my head, heh. I'll look at it later tonite again. Still, any chances of making it 'friendlier'? =) Danke



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: Sortova on Oct 28, '03 01:44:43PM

Okay, using the hint by "thecloud" here is a simple way of getting OSX to accept self-signed certificates.

1) Get the .pem file. For my imap server running on Red Hat Linux it was in

/usr/share/ssl/certs

and the file was imapd.pem.

2) convert it to a "crt" file:

openssl x509 -in imapd.pem -out imapd.crt

(you should be able to do this on either the Mac or the remote server).

3) Copy the imapd.crt file to your local machine.

4) In Finder, double-click on it, which should bring up the "Keychain Access" app.

5) A dialog should appear asking if you want to add the certificate to your keychain. Now this is important: you have to choose the "X509 Anchors" keychain in order for this to work. It did not work just on my keychain. You will need admin access to do this, and the dialog will prompt you for your password.

That's it. Worked for me.



[ Reply to This | # ]
Good tip
Authored by: porkchop_d_clown on Nov 02, '03 04:14:32PM

thanks.

---
Everyone loves a clown, but no one will lend him money!



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: thecloud on Oct 28, '03 12:09:53PM

There is a somewhat easier way to import certificates in Panther. If you have the certificate in a file with an appropriate filename extension (.cer/.crt, .pem, or .p7* formats), you should be able to just double-click that file to open it with Keychain Access. A dialog appears, asking if you want to import the certificate. If this is a root certificate and you want the system to trust it, just choose X509Anchors and type your admin password.

Also note that you can do the following to export a certificate, once it's in a keychain:

1. Launch Keychain Access (in /Applications/Utilities/)
2. Click on any certificate in the list to display it.
3. While holding down the option key, click on the picture of the certificate and drag it to your desktop (or other location in the Finder.) A new certificate file with a ".cer" extension should be created. That file can be subsequently imported to a different keychain, copied to a different machine, etc.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: yellow on Oct 28, '03 12:32:02PM

Now that's awesome.. this was really bugging me. Thanks!



[ Reply to This | # ]
10.3: Importing SSL certificates - where's my X509 keychain?!?
Authored by: mlevin99 on Feb 23, '06 06:43:09AM

I've got a more basic problem (OS 10.3.9, Entourage 2004): there's no X509Anchors keychain available when I drag the certificate to my keychain app! I see these choices: login, microsoft_intermediate_certificates, microsoft_entity_certificates, and System. When I choose "login", the password that came with the .pfx file doesn't work (it says " The certificate password you entered was invalid. Please contact your network administrator for the certificate password. Error: -2147411899). When I choose one of the Microsoft ones instead, the password works fine, but then it asks me to unlock the Microsoft keychain and my master keychain password doesn't work! Does anyone have any idea, what is the password to unlock that Microsoft keychain, and should I be using that one or the X509 one (and if that, where is it to be found)? Why don't I have an X509 keychain?

Thanks,

Mike



[ Reply to This | # ]
Apple knowledge base article
Authored by: garybu0 on Oct 28, '03 12:35:34PM
Apple knowledge base article
Authored by: zacht on Oct 28, '03 01:20:54PM

Mail crashes when I click in the area of the window where it shows the certificate --- i.e., if I click on the icon or on the text.

Darn.

Zach



[ Reply to This | # ]
Apple knowledge base article
Authored by: zacht on Oct 28, '03 01:46:52PM

Well, if I turn SSL *off* in the Mail prefs and then back on, then cancel about half a dozen stalled tasks in the Activity window, at that point it allows me to check mail, get the same error dialog, and drag the certificate to the desktop.

Unfortunately even with the certificate in my keychain I'm still getting the error message. Perhaps this is because the certificate authority is unkown, at least to my computer.

zach



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: johnpg on Oct 28, '03 01:32:43PM
The Apple KB article says:

Mail will continue to ask if you want to accept an SSL certificate each time it opens if the certificate is an expired server certificate or is signed by an unknown certificate authority.

In other words, it won't work for self signed certificates. I tried, and even set it to always trust, but it still asks each time.

I also had the mail crashing problem someone else reported, but to get around that I just downloaded the cert directly (it's from my server).

I wish there was just a simple "always accept this" checkbox.

John

[ Reply to This | # ]

10.3: Importing self-signed SSL certificates
Authored by: snark on Oct 28, '03 04:17:20PM

the Keychain / X509Anchors tip above does not help with the actual SSL certificates but rather works for CA (Certificate Authority) Certificates - that is: certificates used to sign other certificates...

So you need to create two certificates yourself: one CA and one actual SSL certificate for use in your imapd (or httpd or whatever). Use the private part of the CA to sign the other and hand the public part of the CA certificate out to all clients.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: dhaveconfig on Oct 29, '03 05:11:42AM

No, you don't.

The above method works fine. You can EITHER import CA or host certificates to the X509Anchors file.



[ Reply to This | # ]
Didn't work for me.
Authored by: porkchop_d_clown on Nov 02, '03 04:05:40PM

I imported the self-signed cert and I'm still getting the warning everytime I start mail.

---
Everyone loves a clown, but no one will lend him money!



[ Reply to This | # ]
Didn't work for me.
Authored by: leif on Feb 15, '04 07:49:50PM

Me too.

I used the openssl command to generate the X509 cert from my .pem file on the mailserver, and imported it to the x509 anchors in Keychain Access. Mail still whines every time it opens.

I was also unable to option-drag the cert from the Mail's warning dialog; using the option key, I get a generic document icon to drag, but it doesn't save to the desktop when I drop it there. If I don't hold down option I get a useless text clipping with the contents of the certificate information field.

On another mac also running panther, option dragging caused the system to briefly hang, and in a strange graphics error, the document icon now remains above all other applications, unclickable and useless.

A "remember this cert" button in the mail client world certainly be a nice thing to have.



[ Reply to This | # ]
Steps in KB article worked for me
Authored by: garybu0 on Oct 28, '03 04:23:05PM

The steps in the KB article add the self-signed cert to the list of root certs. Mail.app should not warn after following the steps in the article. At least, it didn't for the three machines I tried it on.



[ Reply to This | # ]
Steps in KB article worked for me
Authored by: legacyb4 on Aug 25, '04 02:43:33AM
This really is the key point for getting Mail to stop complaining about self-signed SSL certificates.

What needs to be added to the x509Anchors file is the server root certificate and NOT the certificate used to actually encrypt the mail traffic.

Having forgotten this while setting up my new desktop cost me a half hour of lost sleep...

[ Reply to This | # ]

10.3: Importing self-signed SSL certificates
Authored by: BraindeadMac on Oct 28, '03 07:35:15PM

I had this problem, too. That's because the "Common Name" field must match the host name you are trying to connect to...a lot of hints out there (err, including one of mine) suggest you use your own common name for that field when making a self signed certificate. However, if you enter the machine host name instead when prompted for Common name by openssl when creating the certificate (e.g., localhost or 127.0.0.1 or whatever) the certificate will be recognized as valid. That's a run on sentence, but hopefully you'll get the idea.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: jrdavidson on Jan 22, '04 07:24:06PM

Ok - I'll bite. I have three certs from my company's PKI infrastructure:

a. the root CA cert (cn=rootca.company.com)
b. the CA cert (cn=ca.company.com)
c. my public key cert (cn=Lastname,Firstname MI.)
d. my private key (no cn)

On which of these must the cn match the mailserver? The root?

Thanks.

John



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: dsweet0626 on Jan 04, '04 02:47:10PM

I ran into the same problem where eventhough I had imported the self-signed cert into keychain access I was still getting prompted each time I accessed my mail.

The solution for me was to make a new cert and change it's CN (common name). The CN should exactly match the hostname you are accessing to get your mail.

In my case it was mail.tgd-inc.com.

I hope my solution works for you.

---
That is all.



[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: sharumpe on Oct 28, '03 03:27:31PM

If you are an administrator on the machine, you can manage your certificates much more easily.

1) open Keychain Access
2) select the menu item: File--Add Keychain...
3) navigate to /System/Library/Keychains/
4) select X509Anchors and click 'Open'

Now you should have the X509Anchors item in your list of keychains. This is where Certificate Authority certificates should go. You can double-click your self-signed certificate (or better yet, the CA cert you signed it with), select "X509Anchors" from the selection list, and restart Safari. Your cert should be recognized now. You will have to enter your Administrator password at some point during the process (I can't remember exactly when).

If you need to remove certs, you can do that, too, though if you have not given your Administrator password, it will ask you for it.

I heartily thank Apple for making this possible, but they should now make it a default for the Keychain Access app, and should make the whole thing available through Safari.

Mr. Sharumpe



[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: telos on Nov 01, '03 07:28:27PM

This is a good hint as it allows you to manage the certs very easily. However, there is a bug if you do this:
try dragging a certificate to Keychain Access, a pop-up will appear asking you which keychain you would like to add the certificate to. Now there are four options instead of the usual three: user, X509 Anchors, system, X509 Anchors. As you can see X509 Anchors appears twice!



[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: telos on Nov 01, '03 07:37:04PM

Fw: I just want to add that Mr Sharumpe's method is the most flawless and easiest of all. The .cer file produced by option-dragging the certificate from Mail (rather than manually created .pem, .crt, etc..files) is excellent for importing into the X509 Anchors keychain. Import of other files caused problems with Mail (even freeze).

telos



[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: andrewc on Mar 18, '04 02:16:09AM

Read carefully -- one is the keychain you added (X509Anchors) and the other is the notion of X509 Anchors (for when you haven't added this key chain directly). I would guess they keep these somewhat hidden to avoid confusion. If you look in IE on Windows, the certificates are a little overwhelming. The mac approach is cleaner since you rarely need to deal with adding a CA certificate (which is basically what the X509 Anchors represent).



[ Reply to This | # ]
Import error: 13
Authored by: Anonymous on Dec 17, '03 09:46:51PM

Seems like a very nice trick but when I try to import my .cer file into the X509 keychain I get an error message that it could not import is and the number 13. However I can import them in my login keychain without any problems (although they are not working) Any suggestions ?



[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: dsmiley on Sep 03, '04 09:47:01PM

Wow, I've finally gotten it to work! Thanks for all your help. It took me a while, but I finally realized what I had to do was ad the certificate to the X509 *Certificate* keychain (not the "Anchors" one noted here).



[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: mgiorget on Nov 11, '04 02:25:16PM

Hello I am experiencing this problem with apple mail/keychain: I am trying to add a certificate of a server, smtp; when I just accept it while trying to send the email e get this message:
""Mail was unable to verify the identity of this server, which has a certificate issued to "xxx". The error was:The certficate for the server is invalid.You might be connecting to a computer that is pretending to be "xxx", and putting your confidential information at risk."
Do you think it is the server's fault?
And another question: if I try to add a certificate to Keychain, there is no X509 Anchor keychain; shall I just create a new keychain naming it like that or is there a better way?
thank you



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: jelwell on Oct 28, '03 06:14:01PM

Am I missing something? This doesn't work for me. I import the der file (note the steps seem a bit off):

% sudo cp /System/Library/Keychains/X509Anchors ~/Library/Keychains/X509Anchors
% cd ~/Library/Keychains
% certtool i imapd.pem k=X509Anchors d

The third item should probably be "certtool i imapd.der k=X509Anchors d"

Anyways, I can see my certificate imported properly but Mail still asks me once per session to verify the certificate.

Even apple's tech note imports (with much more ease) but notice that the tech note says you can import the cert, but mail will still ask!

joe.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: BraindeadMac on Oct 28, '03 07:37:44PM

See my above comment for more detail, but the "Common name" must match the server name, so you may need to recreate your self-signed certificate. Instead of entering "Your name" as instructed by openssl, enter your hostname (e.g., localhost)!



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: logo on Mar 19, '04 03:49:23AM
This last comment has helped me to a solution to a half year struggle.
Last fall the certificate of my Mail-Provider expired. That started the popup for each of my four mail accounts!!!
The problem lasted until yesterday when I had a closer look at the message. The certificated was renewed (probably a couple of months ago) yet the registered server name had changed from pop3.blabla.com to mail.blabla.com. Changing the mail-Server's name in the account setups fixed the problem.

So in addition to the hint: the account's logical server name must match the certificate's server name!!!

THAAAAANK YOU!!!!!

[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: timb on Oct 29, '03 07:22:32PM

I put a bug report in to apple for this. Hopefully they will add a always trust checkbox.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: blugel on Oct 29, '03 08:45:30PM

Following Apple's document and the help here, I added the pop mailserver's certificate to the keychain and yet it asks like many have claimed also. Why must it be so hard to protect ourselves with encryption.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: BraindeadMac on Nov 02, '03 07:55:40AM

again, the "Common name" used to create your certificate must match your server's name (e.g., localhost) for Mail to always accept the certificate.



[ Reply to This | # ]
but still not trusted?
Authored by: westin on Nov 01, '03 05:06:44PM

I can get the cert into my keychain, but it still prompts me every time, saying that the cert isn't valid. I noticed that in the keychain you can set the trust settings, but I can't unlock the X509Anchors keychain! I type in my root password, my admin password, but it doesn't unlock.

Greg

---
http://www.gregwestin.com/
Contact Info: http://www.gregwestin.com/contact.php



[ Reply to This | # ]
but still not trusted?
Authored by: westin on Nov 01, '03 05:11:03PM

Aha. The comment above about setting the Common Name properly did the trick for me. I had it set to get mail from "localhost" in Mail.app, and I needed to set it to my domain name.

Thanks!

Greg

---
http://www.gregwestin.com/
Contact Info: http://www.gregwestin.com/contact.php



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: rajiv on Nov 02, '03 04:07:43AM

ok i've got my CA cert in x509Anchors and Mail no longer asks me about the ssl connection when i connect to get mail.

however, after the initial connection, Mail no longer makes new connections and i see this error with i click on the ! next to my inbox:

The server error encountered was: Error NSStreamSocketSSLErrorDomain -9806

any ideas? google for that returns only the apple dev doc with minimal info. i am using Apple Mail to connect to courier-imapd running on linux.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: creus on Nov 02, '03 02:57:35PM

Just thought I would mention, there is a tool to do all of what you have described called CerttoolGUI. Also works in 10.2

Also, you don't have to convert a PEM encoded certificate to DER encoding. Certtool expects PEM encoding so the openssl conversion process and the 'd' at the end of the the certtool command are unnecessary.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: ignatzmous on Jan 29, '04 07:43:05PM

This was the only hint in this thread that worked for me. There is a typo in the instructions, however: it should be the imapd.der output file that you're importing with CertTool.

Thanks so much. I have now imported my Courier IMAP and my SMTP ssl tunnel certs and the dumb warnings are gone.

---
--
conrad heiney



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: andrewc on Mar 18, '04 02:18:37AM

Don't take the warnings lightly. In most cases (where you aren't self-signing), they let you know that you could be in a man-in-the-middle attack. This is very serious so you should always investigate a warning. That said, if you are self-signing, you will know about it and can ignore until you get the X509 anchor set.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: Apollo18Pnut on Apr 23, '04 04:53:23PM
I got my sysadmin to create an simapd.crt with only the certificate in it (she says imapd wants a .pem file which contains both a private key and the certificate). I then ran:
sudo certtool i simapd.crt v k=/System/Library/Keychains/x509Anchors
and restarted Mail.app. No more warning dialogs!
(this was from http://www.afp548.com/Articles/Panther/sslinfo.html)

[ Reply to This | # ]
10.3: Importing self-signed SSL certificates: Summary
Authored by: pheon2 on Jan 16, '06 07:33:17AM

This is a long and sometimes confusing thread. But it worked for me (Thanks).

To summarize my experience.

I run my own mail server and connect to it using SSL. On the server, I created my own self-signed certificate using the command

openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

When openssl asked for 'Common Name', I entered the DNS name of my server.

When Mail.app complained, I clicked the question mark and followed the instructions. Which were

Option drag the certificate to the Desktop.
Double click on the certificate.
Put it in X509Anchors.

Now Mail.app does not complain when I check my mail.






[ Reply to This | # ]