Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Easily import self-signed SSL certificates Internet
With the new Safari in Tiger, it is easy to import self-signed SSL certificates you may come across. Just click Show More in the alert box, and then drag the certificate icon to a folder or your desktop. Then double-click the certificate, and Keychain Access will prompt to import it. Select the "X509Anchors" keychain from the Select box and click OK. Finally, enter your admin password to allow that keychain to be modified.

For example, my university has a self-signed SSL certificate for their IMAP server, and Mail.app constantly complains about this. So I pointed Safari at the IMAP SSL port eg: https://imap.ufl.edu:993/ to grab and import the certificate into the system keychain. Now when I start up Mail.app, it doesn't complain when connecting securely to my school's IMAP server.
    •    
  • Currently 2.50 / 5
  You rated: 5 / 5 (4 votes cast)
 
[24,533 views]  

Easily import self-signed SSL certificates | 8 comments | Create New Account
Click here to return to the 'Easily import self-signed SSL certificates' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Easily import self-signed SSL certificates
Authored by: eagle on May 12, '05 11:54:30AM

it's easy to use Keychain Access to import self-signed certificates into Panther too. Probably Jaguar and other versions even. Sure it's not "double-click" easy, but it is drag-and-drop easy.



[ Reply to This | # ]
10.4: Easily import self-signed SSL certificates
Authored by: ascorbic on May 12, '05 12:58:23PM

If you're importing IMAP certificates, then you can do it directly from Mail.app without using Safari. Just open Mail, wait for the error message about the invalid certificate and click "Show certificate". You can then drag the certificate from there to the desktop and proceed as above.

---
--ascorbic - certified scurvy-free



[ Reply to This | # ]
10.4: Easily import self-signed SSL certificates
Authored by: owsla on May 12, '05 01:10:04PM

Everything written in this hint and comments works under at least Panther as well.



[ Reply to This | # ]
Easily import self-signed SSL certificates
Authored by: iolaire on May 12, '05 05:37:51PM

Thanks, this will help. I've hated the gmail warning....



[ Reply to This | # ]
Easily import self-signed SSL certificates
Authored by: acdha on May 12, '05 06:35:41PM
10.3's Keychain Access worked in the same fashion; unfortunately neither of them works with OpenSSL, which a fair number of programs (including things like Apple's DirectoryService) use. I've collected the instructions for doing so here.

[ Reply to This | # ]
Easily import self-signed SSL certificates
Authored by: yesno on May 12, '05 06:57:07PM

I'm afraid this doesn't work for whatever certificate type the US Army uses, and neither do the instructions on Chris Adam's site for converting between formats. If anyone wants to look at the cert that https://pop.us.army.mil issues and can tell me what is going on, please do. I have been trying to do this for at least 2 years now and no one has been able to help me.

I might do an Ask Metafilter on this, come to think of it.



[ Reply to This | # ]
Easily import self-signed SSL certificates
Authored by: ascorbic on May 13, '05 04:03:29AM

Shouldn't you be connecting to imap.us.army.mil? imap.us.army.mil, pop.us.army.mil and webmail.us.army.mil are all the same IP, but return different certificates depending on the port connected to.
What is the error that you get in mail?

---
--ascorbic - certified scurvy-free



[ Reply to This | # ]
Easily import self-signed SSL certificates
Authored by: thecloud on May 13, '05 03:48:38PM

Here's what's going on, and how to make it work:

1. The certificate being used for pop.us.army.mil is not actually issued to that host; it's issued to "webmail.us.army.mil". You get an error because this is a violation of the PKI standards: the host name you're connecting to does not match the one that has been certified. However, since "pop.us.army.mil" and "webmail.us.army.mil" and "imap.us.army.mil" all resolve to the same IP address, you can just connect to "webmail.us.army.mil" to avoid this error.

2. The certificate is issued by an intermediate CA certificate that isn't being found: "DOD CLASS 3 CA-4". In order for a certificate chain to be considered valid, all of the certificates in the chain need to be available, with the root certificate in the X509Anchors keychain. Fortunately, Apple ships the DOD certificates in Tiger, although they aren't active by default. To enable them, launch Keychain Access, choose Keychain List from the Edit menu, click the '+' button, then navigate to /System/Library/Keychains/X509Certificates and add that keychain to your list.

Once you've done this, you can use Safari to connect to "https://webmail.us.army.mil/". (Click the lock icon at the top right corner, and it will show you the complete certificate chain.)



[ Reply to This | # ]