10.5: Prevent SSL warnings for certain CA certificates

Nov 05, '07 07:30:02AM

Contributed by: Anonymous

If you have been using Mail to check mail through SSL on a server where the certificate was signed by a non-standard Certificate Authority (CA) like CACert, you've probably seen the warnings about the non-standard CA. In the pre-Leopard days, you used to be able to bypass the warning by simply saying OK and connecting through the warning. Well, in 10.5 that is no longer good enough. Now you will get the warning every time you connect.

The way to handle this is to first (this assumes you have been successfully checking mail on this account before), if you have not already done so, import the root cert from the CA. (You likely have already done this, since I believe in the upgrade from 10.3 to 10.4, you were required to do this.)

Second, you need to open up Keychain Access and search for the root cert that you imported; in my case it was CACert. Keychain will show a root cert in both the "x509Anchors" and the "login" keychains. Select the one in the "x509Anchors" keychain and double-click it. It should say along the top that the root cert is not trusted.

On the left-hand side, expand the Trust section by clicking the symbol next to the word Trust. Here you will be presented with a series of dropdowns, most of which should have "Use System Default" or "no value specified" preselected. You need to change the SSL entry to "always trust."

Exit Mail and Keychain Access, go back into Mail, and you should not be prompted again. Do not trust any other role (unless you know what you are doing) that certificate can authorize, because most third-party certificates do not verify identities. In other words, you can be satisfied that the identity (ie; the server) is the same one you connected to yesterday, but you can not ensure that identity (ie; server) is who they have always said they were.

[robg adds: I haven't tested this one.]

Comments (8)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20071027120127962