Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.3: Importing self-signed SSL certificates' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Importing self-signed SSL certificates
Authored by: johnpg on Oct 28, '03 01:32:43PM
The Apple KB article says:

Mail will continue to ask if you want to accept an SSL certificate each time it opens if the certificate is an expired server certificate or is signed by an unknown certificate authority.

In other words, it won't work for self signed certificates. I tried, and even set it to always trust, but it still asks each time.

I also had the mail crashing problem someone else reported, but to get around that I just downloaded the cert directly (it's from my server).

I wish there was just a simple "always accept this" checkbox.

John

[ Reply to This | # ]

10.3: Importing self-signed SSL certificates
Authored by: snark on Oct 28, '03 04:17:20PM

the Keychain / X509Anchors tip above does not help with the actual SSL certificates but rather works for CA (Certificate Authority) Certificates - that is: certificates used to sign other certificates...

So you need to create two certificates yourself: one CA and one actual SSL certificate for use in your imapd (or httpd or whatever). Use the private part of the CA to sign the other and hand the public part of the CA certificate out to all clients.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: dhaveconfig on Oct 29, '03 05:11:42AM

No, you don't.

The above method works fine. You can EITHER import CA or host certificates to the X509Anchors file.



[ Reply to This | # ]
Didn't work for me.
Authored by: porkchop_d_clown on Nov 02, '03 04:05:40PM

I imported the self-signed cert and I'm still getting the warning everytime I start mail.

---
Everyone loves a clown, but no one will lend him money!



[ Reply to This | # ]
Didn't work for me.
Authored by: leif on Feb 15, '04 07:49:50PM

Me too.

I used the openssl command to generate the X509 cert from my .pem file on the mailserver, and imported it to the x509 anchors in Keychain Access. Mail still whines every time it opens.

I was also unable to option-drag the cert from the Mail's warning dialog; using the option key, I get a generic document icon to drag, but it doesn't save to the desktop when I drop it there. If I don't hold down option I get a useless text clipping with the contents of the certificate information field.

On another mac also running panther, option dragging caused the system to briefly hang, and in a strange graphics error, the document icon now remains above all other applications, unclickable and useless.

A "remember this cert" button in the mail client world certainly be a nice thing to have.



[ Reply to This | # ]
Steps in KB article worked for me
Authored by: garybu0 on Oct 28, '03 04:23:05PM

The steps in the KB article add the self-signed cert to the list of root certs. Mail.app should not warn after following the steps in the article. At least, it didn't for the three machines I tried it on.



[ Reply to This | # ]
Steps in KB article worked for me
Authored by: legacyb4 on Aug 25, '04 02:43:33AM
This really is the key point for getting Mail to stop complaining about self-signed SSL certificates.

What needs to be added to the x509Anchors file is the server root certificate and NOT the certificate used to actually encrypt the mail traffic.

Having forgotten this while setting up my new desktop cost me a half hour of lost sleep...

[ Reply to This | # ]

10.3: Importing self-signed SSL certificates
Authored by: BraindeadMac on Oct 28, '03 07:35:15PM

I had this problem, too. That's because the "Common Name" field must match the host name you are trying to connect to...a lot of hints out there (err, including one of mine) suggest you use your own common name for that field when making a self signed certificate. However, if you enter the machine host name instead when prompted for Common name by openssl when creating the certificate (e.g., localhost or 127.0.0.1 or whatever) the certificate will be recognized as valid. That's a run on sentence, but hopefully you'll get the idea.



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: jrdavidson on Jan 22, '04 07:24:06PM

Ok - I'll bite. I have three certs from my company's PKI infrastructure:

a. the root CA cert (cn=rootca.company.com)
b. the CA cert (cn=ca.company.com)
c. my public key cert (cn=Lastname,Firstname MI.)
d. my private key (no cn)

On which of these must the cn match the mailserver? The root?

Thanks.

John



[ Reply to This | # ]
10.3: Importing self-signed SSL certificates
Authored by: dsweet0626 on Jan 04, '04 02:47:10PM

I ran into the same problem where eventhough I had imported the self-signed cert into keychain access I was still getting prompted each time I accessed my mail.

The solution for me was to make a new cert and change it's CN (common name). The CN should exactly match the hostname you are accessing to get your mail.

In my case it was mail.tgd-inc.com.

I hope my solution works for you.

---
That is all.



[ Reply to This | # ]