Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Easily import self-signed SSL certificates' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Easily import self-signed SSL certificates
Authored by: yesno on May 12, '05 06:57:07PM

I'm afraid this doesn't work for whatever certificate type the US Army uses, and neither do the instructions on Chris Adam's site for converting between formats. If anyone wants to look at the cert that https://pop.us.army.mil issues and can tell me what is going on, please do. I have been trying to do this for at least 2 years now and no one has been able to help me.

I might do an Ask Metafilter on this, come to think of it.



[ Reply to This | # ]
Easily import self-signed SSL certificates
Authored by: ascorbic on May 13, '05 04:03:29AM

Shouldn't you be connecting to imap.us.army.mil? imap.us.army.mil, pop.us.army.mil and webmail.us.army.mil are all the same IP, but return different certificates depending on the port connected to.
What is the error that you get in mail?

---
--ascorbic - certified scurvy-free



[ Reply to This | # ]
Easily import self-signed SSL certificates
Authored by: thecloud on May 13, '05 03:48:38PM

Here's what's going on, and how to make it work:

1. The certificate being used for pop.us.army.mil is not actually issued to that host; it's issued to "webmail.us.army.mil". You get an error because this is a violation of the PKI standards: the host name you're connecting to does not match the one that has been certified. However, since "pop.us.army.mil" and "webmail.us.army.mil" and "imap.us.army.mil" all resolve to the same IP address, you can just connect to "webmail.us.army.mil" to avoid this error.

2. The certificate is issued by an intermediate CA certificate that isn't being found: "DOD CLASS 3 CA-4". In order for a certificate chain to be considered valid, all of the certificates in the chain need to be available, with the root certificate in the X509Anchors keychain. Fortunately, Apple ships the DOD certificates in Tiger, although they aren't active by default. To enable them, launch Keychain Access, choose Keychain List from the Edit menu, click the '+' button, then navigate to /System/Library/Keychains/X509Certificates and add that keychain to your list.

Once you've done this, you can use Safari to connect to "https://webmail.us.army.mil/". (Click the lock icon at the top right corner, and it will show you the complete certificate chain.)



[ Reply to This | # ]