Re: ?10.4.5 email problem: Where are my X509 CA certs stored?

Fred Moore wrote:
I'm having problems sending email using my email account's SSL server. When I attempt to send a message I get a warning like this concerning the Certificate Authority (CA) certificate for the server (paraphrase):

Unable to verify SSL server wdyllc.com. No root certificate for this server.

This started a couple of days after re-applying the 10.4.5 update from my hard drive. (I had to do the reapply because using Software Update caused other email problems which were fixed w/ the reapply.)

In the dialog box mentioned above, there is a button to 'View Certificate'. Presumably, this is the CA cert the server is sending me to validate itself by comparing to an X509Anchors CA cert stored somewhere on my hard drive. When I click it, it shows the certificate with a line added in red type,

'This certificate was signed by an unknown authority'

The email sysop sent me the Subject and Authority Key Identifiers for the 'invalid' cert to make sure the cert being displayed was what the server is sending. It was. When I checked Mail Help under certificate error, it says to import a valid certificate into the X509Anchors section of the Keychain Access utility. The sysop told me how to get a new valid 'Class 2' cert from a company called Valicert. When I tried to import it, Keychain Access tells me it already exists so I couldn't import it. Looking down the list of X509Anchor certs, I finally found three certs for Valicert (helpfully filed under H for http://www.valicert.com), one each Class 1, Class 2, & Class 3 (whatever that means). The details of each of these cert are different from the cert the SSL email server is sending for validation.

Q1: Any idea why the email CA cert has been labeled as invalid? It was working just a couple of days ago. All I've done in that time is run the cron scripts and repair perms (didn't find much).

Q2: To fix this, I thought about deleting the Valicert Class 2 cert and importing the new Class 2 one. However, before I delete anything I want to make a backup. Where are these certs stored? Is it in ~/Library/Keychain/<my user name>? This is a single file, most of which seems to be encoded so I can't tell if anything from Valicert is in there.

X509 certs and CAs are stored in your keychains. I'd use the fancy Keychain Access program to manipulate them. You can remove the invalid CAs from there.
.