Fix certificate errors in Safari and Mail when using AKO

Jun 16, '06 07:30:03AM

Contributed by: Anonymous

Every person in the US Army is required to maintain an AKO (Army Knowledge Online) account. AKO webmail is a terrible web interface for email, but soldiers are forced to use it. All Army military email addresses (@us.army.mil and @usar.armry.mil) are AKO addresses, and they cannot be automatically forwarded to commercial addresses (yahoo, msn, aol, .com, .edu, etc -- only .gov and .mil are supported). I hate AKO email and check my account only when told. One day, when I was getting "smoked" by my First Sergeant for not checking my email, I stared at the asphalt and thought to myself, "There has to be a better way."

You are allowed access to your account using POP3, but Mail just won't work with it for some reason. Safari consistently gives error messages about "certificates" and unknown authorities, which make AKO all the more nasty. The Army does have a site that tells Windows users how to avoid the Certificate dialogs, and has a program PC users can download that will set up their PC to not suck so much when accessing AKO, but Mac users are completely ignored.

I found a lot of people who had the same problem, but no answers. Then I stumbled onto a solution that fixed the two issues, but it was a back-and-fourth between two people with a fairly advanced understanding of internet protocol, and it was incomprehensible. So, to the servicemen and women who like Mail and Safari, but hate AKO as much as I do, I offer the following fix ... and maybe someone will figure an easier way to do this.

Open up TextEdit and create four .txt files. Copy and paste the following code into each file. Note that your TextEdit preferences must be set such that new files are created as plain text documents and not RTF documents. File 1:

# Subject Name: CN=DoD CLASS 3 Root CA, OU=PKI, OU=DoD, O=U.S. Government, C=US
# Issuer Name: CN=DoD CLASS 3 Root CA, OU=PKI, OU=DoD, O=U.S. Government, C=US
# Expiration Date: May 14, 2020
-----BEGIN CERTIFICATE-----
MIICZzCCAdCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJVUzEYMBYGA1UEChMP
VS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEcMBoGA1UEAxMTRG9E
IENMQVNTIDMgUm9vdCBDQTAeFw0wMDA1MTkxMzEzMDBaFw0yMDA1MTQxMzEzMDBaMGExCzAJBgNV
BAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMD
UEtJMRwwGgYDVQQDExNEb0QgQ0xBU1MgMyBSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQC1MP5kvurMbe2BLPd/6Rm6DmlqKOGpqcuVWB/x5pppU+CIP5HFUbljl6jmIYwTXjY8qFf6
+HAsTGrLvzCnTBbkMlz4ErBR+BZXjS+0TfouqJToKmHUVw1Hzm4sL36YZ8wACKu2lhY1woWR5Vug
CsdmUmLzYXWVF668KlYppeArUwIDAQABoy8wLTAdBgNVHQ4EFgQUbJyl8FyPbUGNxBc7kFfCD6PN
bf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCvcUT5lyPMaGmMQwdBuoggsyIAQciY
oFUczT9usZNcrfoYmrscc2/9JEKPh59Rz76Gn+nXikhPCNlplKw/5g8tlw8ok3ZPYt//oM1h+KaG
DDE0INx/L6j7Ob6V7jhZAmLB3mwVT+DfnbvkeXMk/WNklfdKqJkfSGWVx3u/eDLneg==
-----END CERTIFICATE-----[code]

<b>File 2:</b>

[code]# Subject Name: CN=DOD CLASS 3 CA-3, OU=PKI, OU=DoD, O=U.S. Government, C=US
# Issuer Name: CN=DoD CLASS 3 Root CA, OU=PKI, OU=DoD, O=U.S. Government, C=US
# Expiration Date: July 4, 2006
-----BEGIN CERTIFICATE-----
MIIEFTCCA36gAwIBAgIBETANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJVUzEYMBYGA1UEChMP
VS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEcMBoGA1UEAxMTRG9E
IENMQVNTIDMgUm9vdCBDQTAeFw0wMDA3MDUxMzAwMjlaFw0wNjA3MDQxMzAwMjlaMF4xCzAJBgNV
BAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMD
UEtJMRkwFwYDVQQDExBET0QgQ0xBU1MgMyBDQS0zMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDKNghyPlKNRo7Gy246FKTIWuKCN26C3+BM6ZfLwmOBmhuotI+E8gzBAaCkjoO1pFb39ZW3FX7/
Eenk7ucxhw7XSW89+FbWovf1gVg25jZ5m7tNhjjq2l0e0RkHHLq9yEhe3kYkYO2sDxbJdRvv9XRS
g9YErcGV6IrW9ye+NgbYQQIDAQABo4IB3jCCAdowHQYDVR0OBBYEFAfhQcaBC2FINI9KfDKKcHtS
APgzMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAwGA1UdJAQFMAOAAQAwHwYDVR0j
BBgwFoAUbJyl8FyPbUGNxBc7kFfCD6PNbf4wMAYDVR0gBCkwJzALBglghkgBZQIBCwUwCwYJYIZI
AWUCAQsJMAsGCWCGSAFlAgELCjCBgwYDVR0SBHwweoZ4bGRhcDovL2RzLTMuYzNwa2kuY2hhbWIu
ZGlzYS5taWwvY24lM2REb0QlMjBDTEFTUyUyMDMlMjBSb290JTIwQ0ElMmNvdSUzZFBLSSUyY291
JTNkRG9EJTJjbyUzZFUuUy4lMjBHb3Zlcm5tZW50JTJjYyUzZFVTMIGwBgNVHR8EgagwgaUwgaKg
gZ+ggZyGgZlsZGFwOi8vZHMtMy5jM3BraS5jaGFtYi5kaXNhLm1pbC9jbiUzZERvRCUyMENMQVNT
JTIwMyUyMFJvb3QlMjBDQSUyY291JTNkUEtJJTJjb3UlM2REb0QlMmNvJTNkVS5TLiUyMEdvdmVy
bm1lbnQlMmNjJTNkVVM/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDtiaW5hcnkwDQYJKoZIhvcN
AQEFBQADgYEAOuF8hjJcKi8g9Ah1u1Iyl96w68726dH1qnkepfy/yC5JwVEMOGT21oWNb4mq3lk5
50sAMd7/p3VL9fy24qpTAsA35q2epl/ZB5qR0jRgpQ9VmFxvc8s2aWccLChjG2PkxLFFoUzh+SA+
Iqa3+RhIxoBUHDgJwKeURH9KxZ7Ca/c=
-----END CERTIFICATE-----
File 3:
# Subject Name: CN=DOD CLASS 3 CA-4, OU=PKI, OU=DoD, O=U.S. Government, C=US
# Issuer Name: CN=DoD CLASS 3 Root CA, OU=PKI, OU=DoD, O=U.S. Government, C=US
# Expiration Date: July 4, 2006
-----BEGIN CERTIFICATE-----
MIIEFTCCA36gAwIBAgIBDzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJVUzEYMBYGA1UEChMP
VS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEcMBoGA1UEAxMTRG9E
IENMQVNTIDMgUm9vdCBDQTAeFw0wMDA3MDUxMjU1NDNaFw0wNjA3MDQxMjU1NDNaMF4xCzAJBgNV
BAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMD
UEtJMRkwFwYDVQQDExBET0QgQ0xBU1MgMyBDQS00MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDgBeLRv7YHTmHeT0I41vypv1/3OTu3mZdY7Y0GEIiC8OvJXRSDU0aaMNQZ2pSytE1HKiv5gwL8
I9SkAhMw8n4REZuwkDyBsiK2crWPwaFHs66gpPOsApGCa7VuvyKwmeEwZ3nm4NoqL0S6dV0kwUna
9pjmRbmAWgDSWO0j13iTlwIDAQABo4IB3jCCAdowHQYDVR0OBBYEFBWiozXecTI1L7/x/edV0Z/Y
9ipfMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAwGA1UdJAQFMAOAAQAwHwYDVR0j
BBgwFoAUbJyl8FyPbUGNxBc7kFfCD6PNbf4wMAYDVR0gBCkwJzALBglghkgBZQIBCwUwCwYJYIZI
AWUCAQsJMAsGCWCGSAFlAgELCjCBgwYDVR0SBHwweoZ4bGRhcDovL2RzLTMuYzNwa2kuY2hhbWIu
ZGlzYS5taWwvY24lM2REb0QlMjBDTEFTUyUyMDMlMjBSb290JTIwQ0ElMmNvdSUzZFBLSSUyY291
JTNkRG9EJTJjbyUzZFUuUy4lMjBHb3Zlcm5tZW50JTJjYyUzZFVTMIGwBgNVHR8EgagwgaUwgaKg
gZ+ggZyGgZlsZGFwOi8vZHMtMy5jM3BraS5jaGFtYi5kaXNhLm1pbC9jbiUzZERvRCUyMENMQVNT
JTIwMyUyMFJvb3QlMjBDQSUyY291JTNkUEtJJTJjb3UlM2REb0QlMmNvJTNkVS5TLiUyMEdvdmVy
bm1lbnQlMmNjJTNkVVM/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDtiaW5hcnkwDQYJKoZIhvcN
AQEFBQADgYEAs7cAhWg30rDv01GBc+ZSl6YalHuEPcjAeK3jOrKJmwvobzgoEvysPLklh8ddQx27
pFIhoCSKlbWCia5cZdkmBsm8zBRjbYF+NoBxa+cduTj66wFkrwgIJGHz8dyQoV/JpTDyX6qn+xyU
0FaSKBt21mQ2MqiDGh11CGcwsWtLfTI=
-----END CERTIFICATE-----
File 4:
# Subject Name: CN=DOD CLASS 3 CA-7,OU=PKI,OU=DoD,O=U.S. Government,C=US
# Issuer Name: CN=DOD CLASS 3 CA-7,OU=PKI,OU=DoD,O=U.S. Government,C=US

-----BEGIN CERTIFICATE-----
MIIEFTCCA36gAwIBAgIBJDANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJVUzEY
MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsT
A1BLSTEcMBoGA1UEAxMTRG9EIENMQVNTIDMgUm9vdCBDQTAeFw0wMzA2MDQxMDEy
MDZaFw0wOTA2MDIxMDEyMDZaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMu
IEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMRkwFwYDVQQD
ExBET0QgQ0xBU1MgMyBDQS03MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8
BKQkT6/KuDyouK8n7AlAyvZy1KAomd3cl/9ndmehOog++qXO7FdfI4+K3MUqm6TF
C/OWptvtDwGBs/LKoa0LjaIDLwygjG/kOQRrzHcKxnpolumWJM2eVJZAT4dfIUU3
LfWWPomaJgfAVUYHM4byoXHtP1YJKC0GzFeCSZcO1QIDAQABo4IB3jCCAdowHQYD
VR0OBBYEFALFH0MRc2AyNz7mR4Yp3iG2cmYjMA4GA1UdDwEB/wQEAwIBhjAPBgNV
HRMBAf8EBTADAQH/MAwGA1UdJAQFMAOAAQAwHwYDVR0jBBgwFoAUbJyl8FyPbUGN
xBc7kFfCD6PNbf4wMAYDVR0gBCkwJzALBglghkgBZQIBCwUwCwYJYIZIAWUCAQsJ
MAsGCWCGSAFlAgELCjCBgwYDVR0SBHwweoZ4bGRhcDovL2RzLTMuYzNwa2kuY2hh
bWIuZGlzYS5taWwvY24lM2REb0QlMjBDTEFTUyUyMDMlMjBSb290JTIwQ0ElMmNv
dSUzZFBLSSUyY291JTNkRG9EJTJjbyUzZFUuUy4lMjBHb3Zlcm5tZW50JTJjYyUz
ZFVTMIGwBgNVHR8EgagwgaUwgaKggZ+ggZyGgZlsZGFwOi8vZHMtMy5jM3BraS5j
aGFtYi5kaXNhLm1pbC9jbiUzZERvRCUyMENMQVNTJTIwMyUyMFJvb3QlMjBDQSUy
Y291JTNkUEtJJTJjb3UlM2REb0QlMmNvJTNkVS5TLiUyMEdvdmVybm1lbnQlMmNj
JTNkVVM/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDtiaW5hcnkwDQYJKoZIhvcN
AQEFBQADgYEAtOqMTGl5mdL3Vp2EoImLqvHTpF2nOqnMFnx4T8zijXH8j0/bHI00
AIbYJeVgy9YyLz3XsxEZWvcywTRq0XkLs8EtygdE6lZNJA3Px3FnPmBTwaXTDaGA
695cemp67L85bvxm2IVXnr91i6klVczY90MpcWBUwBeK8pxPdscq2Yk=
-----END CERTIFICATE-----
Find a nice place to save the files. I saved mine in /System -> Library -> Keychains. Save them as plain text files (Western Mac OS Roman) and make sure that the Hide Extension box in the Save As dialog is not checked. Now, with the extensions visible, change them each from .txt to .cer (for 'certificate').

Go to the AKO login site, and you will get a dialog saying something like Safari can't verify the identity of the website www.us.army.mil. If it doesn't say that, then you're not totally logged out, so close Safari and start it up again, and it will give the error message. Click the Show Certificate button. Check the Always trust these certifictes box. Expand the triangle next to Trust Settings, and make sure both drop down menus say Always Trust. Click the Continue button and log into AKO.

Select Email in your AKO main page, and you'll get another error message. Do the same thing as before -- check the box, set the settings to Always Trust, click Continue, and now you're in your AKO email. You can log out now or just leave it open. It doesn't matter.

Open up Keychain Access in /Applications -> Utilities. Select Certificates in the left hand menu. The main section of the window should list webmail.us.army.mil and www.us.army.mil as two of your certificates (possibly among others). Select Import... from the File menu. Navigate to the location were you saved the four .cer files, and open each one.

Once the four certificate files are listed with the other certificate files, you can quit Keychain Access. Now, test things by quitting Safari and opening it back up again. Now, when you log in to AKO, you won't get those error messages. But the real prize is this: You can set up Apple's Mail program to handle all your AKO email, and you'll be able to use all the nice filters and easy editing and everything that makes Mail the best email client (my opinion) that I've ever seen.

To set up Mail for AKO, do the following. Open Mail (if it was open when you did all the certificate stuff, you'll need to close it then reopen it again). Select Preferences from the Mail menu. Click the plus sign in the lower left hand corner. Enter this info: Note that there are three tabs: Account Information, Mailbox Behaviors, and Advanced. In Account Information, click SMTP Server Settings and make sure the server port is 465, SSL is checked, and Authentication is Password. In the Advanced tab, be sure port is 995, SSL is checked, and Authentication is Password.

All other settings are up to you. If you're using Tiger, go to Window -> Connection Doctor to test your settings. If the SMTP fails, you might need to call your tech support for your internet connection, and ask if you're allowed to use port 465 for SMTP. Supposedly, Earthlink, Mindspring, Prodigy, AT&T Worldnet, WestWorld Global, and COX@Home all have such a hitch. If so (I haven't tried to be sure), they say you need to uncheck SSL for the outgoing/SMTP server, change the port to 25, and change the servername to smtp.earthlink.net, smtp.prodigy.net, imailhost.worldnet.att.net, mail, or mail.wgn.net, respectively.

You should now have a slick and easy way to handle all the stuff that comes and goes through AKO. I really hope this helps somebody!

Comments (15)


Mac OS X Hints
http://hints.macworld.com/article.php?story=2006061400134986