Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the '10.3:Even Easier way to manager Certificates' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3:Even Easier way to manager Certificates
Authored by: sharumpe on Oct 28, '03 03:27:31PM

If you are an administrator on the machine, you can manage your certificates much more easily.

1) open Keychain Access
2) select the menu item: File--Add Keychain...
3) navigate to /System/Library/Keychains/
4) select X509Anchors and click 'Open'

Now you should have the X509Anchors item in your list of keychains. This is where Certificate Authority certificates should go. You can double-click your self-signed certificate (or better yet, the CA cert you signed it with), select "X509Anchors" from the selection list, and restart Safari. Your cert should be recognized now. You will have to enter your Administrator password at some point during the process (I can't remember exactly when).

If you need to remove certs, you can do that, too, though if you have not given your Administrator password, it will ask you for it.

I heartily thank Apple for making this possible, but they should now make it a default for the Keychain Access app, and should make the whole thing available through Safari.

Mr. Sharumpe

[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: telos on Nov 01, '03 07:28:27PM

This is a good hint as it allows you to manage the certs very easily. However, there is a bug if you do this:
try dragging a certificate to Keychain Access, a pop-up will appear asking you which keychain you would like to add the certificate to. Now there are four options instead of the usual three: user, X509 Anchors, system, X509 Anchors. As you can see X509 Anchors appears twice!

[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: telos on Nov 01, '03 07:37:04PM

Fw: I just want to add that Mr Sharumpe's method is the most flawless and easiest of all. The .cer file produced by option-dragging the certificate from Mail (rather than manually created .pem, .crt, etc..files) is excellent for importing into the X509 Anchors keychain. Import of other files caused problems with Mail (even freeze).


[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: andrewc on Mar 18, '04 02:16:09AM

Read carefully -- one is the keychain you added (X509Anchors) and the other is the notion of X509 Anchors (for when you haven't added this key chain directly). I would guess they keep these somewhat hidden to avoid confusion. If you look in IE on Windows, the certificates are a little overwhelming. The mac approach is cleaner since you rarely need to deal with adding a CA certificate (which is basically what the X509 Anchors represent).

[ Reply to This | # ]
Import error: 13
Authored by: Anonymous on Dec 17, '03 09:46:51PM

Seems like a very nice trick but when I try to import my .cer file into the X509 keychain I get an error message that it could not import is and the number 13. However I can import them in my login keychain without any problems (although they are not working) Any suggestions ?

[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: dsmiley on Sep 03, '04 09:47:01PM

Wow, I've finally gotten it to work! Thanks for all your help. It took me a while, but I finally realized what I had to do was ad the certificate to the X509 *Certificate* keychain (not the "Anchors" one noted here).

[ Reply to This | # ]
10.3:Even Easier way to manager Certificates
Authored by: mgiorget on Nov 11, '04 02:25:16PM

Hello I am experiencing this problem with apple mail/keychain: I am trying to add a certificate of a server, smtp; when I just accept it while trying to send the email e get this message:
""Mail was unable to verify the identity of this server, which has a certificate issued to "xxx". The error was:The certficate for the server is invalid.You might be connecting to a computer that is pretending to be "xxx", and putting your confidential information at risk."
Do you think it is the server's fault?
And another question: if I try to add a certificate to Keychain, there is no X509 Anchor keychain; shall I just create a new keychain naming it like that or is there a better way?
thank you

[ Reply to This | # ]