Managing keys and certificates in the Keychain

Oct 16, '07 07:30:00AM

Contributed by: pxcuth

Applications like Mail and Safari support the use of digital certificates for secure email and client SSL authentication. These applications use keys and certificates that are stored in the Keychain.

For example, to enable secure email with Mail, the basic steps are:

  1. Generate a key and certificate pair, using a product such as SimpleAuthority or the Certificate Assistant (see this hint)
  2. Import the key and certificate pair into the Keychain, such as by double clicking on the .p12 file
  3. Import the Certification Authority (CA) certificate into the X509Anchors keychain, so that certificates issued by this CA are trusted
  4. Mail automatically recognises that secure email is possible and provides options in the compose window to sign and/or encrypt.
Unlike most other security applications, there are no preference settings in Mail or Safari to choose which key and certificate to use. This can cause a problem with Mail if you have multiple certificates, for example if you are switching from one CA to another. In this case, you need to keep all your private keys in the Keychain to be able to decrypt old messages, but you only want your latest private key to be used to sign any new email messages.

Fortunately there is a solution. You can specify the trust level for each certificate using Keychain Access. Double-click on the certificates that you do not want to use, scroll down the bottom of the certificate details to Trust Settings, click on the small arrow to expand the section, and configure the trust settings to "Never Trust." This makes the private key still available to decrypt data, but it prevents it from being used to generate any new digital signatures.

Comments (2)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20071012043415287