Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Managing keys and certificates in the Keychain System 10.4
Applications like Mail and Safari support the use of digital certificates for secure email and client SSL authentication. These applications use keys and certificates that are stored in the Keychain.

For example, to enable secure email with Mail, the basic steps are:
  1. Generate a key and certificate pair, using a product such as SimpleAuthority or the Certificate Assistant (see this hint)
  2. Import the key and certificate pair into the Keychain, such as by double clicking on the .p12 file
  3. Import the Certification Authority (CA) certificate into the X509Anchors keychain, so that certificates issued by this CA are trusted
  4. Mail automatically recognises that secure email is possible and provides options in the compose window to sign and/or encrypt.
Unlike most other security applications, there are no preference settings in Mail or Safari to choose which key and certificate to use. This can cause a problem with Mail if you have multiple certificates, for example if you are switching from one CA to another. In this case, you need to keep all your private keys in the Keychain to be able to decrypt old messages, but you only want your latest private key to be used to sign any new email messages.

Fortunately there is a solution. You can specify the trust level for each certificate using Keychain Access. Double-click on the certificates that you do not want to use, scroll down the bottom of the certificate details to Trust Settings, click on the small arrow to expand the section, and configure the trust settings to "Never Trust." This makes the private key still available to decrypt data, but it prevents it from being used to generate any new digital signatures.
  • Currently 1.86 / 5
  You rated: 3 / 5 (22 votes cast)

Managing keys and certificates in the Keychain | 2 comments | Create New Account
Click here to return to the 'Managing keys and certificates in the Keychain' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Authored by: rspeed on Oct 16, '07 09:17:46AM

I believe this hint will be somewhat out of date in Mac OS X 10.5.

[ Reply to This | # ]
Authored by: stmoddell on Jun 24, '08 11:08:30AM

certificate assistant and adding CA's is still pretty much as directed here. The main difference being that x509 is no longer where these need to be added, but just into system keychain (if for all users on host).

--- it time for cocktails yet/

[ Reply to This | # ]