Re: ?10.4.5 email problem: Where are my X509 CA certs stored?
- From: Fred Moore <fmoore@xxxxxxxx>
- Date: Fri, 03 Mar 2006 20:16:05 GMT
In article <tY%Nf.13556$43.5023@xxxxxxxxxxxxxxx!nnrp1.uunet.ca>,
"void * clvrmnky()" <clvrmnky.invalid@xxxxxxxxxxxxxxxxxxx> wrote:
Fred Moore wrote:
I'm having problems sending email using my email account's SSL server.X509 certs and CAs are stored in your keychains. I'd use the fancy
When I attempt to send a message I get a warning like this concerning
the Certificate Authority (CA) certificate for the server (paraphrase):
Unable to verify SSL server wdyllc.com. No root certificate for this
server.
This started a couple of days after re-applying the 10.4.5 update from
my hard drive. (I had to do the reapply because using Software Update
caused other email problems which were fixed w/ the reapply.)
In the dialog box mentioned above, there is a button to 'View
Certificate'. Presumably, this is the CA cert the server is sending me
to validate itself by comparing to an X509Anchors CA cert stored
somewhere on my hard drive. When I click it, it shows the certificate
with a line added in red type,
'This certificate was signed by an unknown authority'
The email sysop sent me the Subject and Authority Key Identifiers for
the 'invalid' cert to make sure the cert being displayed was what the
server is sending. It was. When I checked Mail Help under certificate
error, it says to import a valid certificate into the X509Anchors
section of the Keychain Access utility. The sysop told me how to get a
new valid 'Class 2' cert from a company called Valicert. When I tried to
import it, Keychain Access tells me it already exists so I couldn't
import it. Looking down the list of X509Anchor certs, I finally found
three certs for Valicert (helpfully filed under H for
http://www.valicert.com), one each Class 1, Class 2, & Class 3 (whatever
that means). The details of each of these cert are different from the
cert the SSL email server is sending for validation.
Q1: Any idea why the email CA cert has been labeled as invalid? It was
working just a couple of days ago. All I've done in that time is run the
cron scripts and repair perms (didn't find much).
Q2: To fix this, I thought about deleting the Valicert Class 2 cert and
importing the new Class 2 one. However, before I delete anything I want
to make a backup. Where are these certs stored? Is it in
~/Library/Keychain/<my user name>? This is a single file, most of which
seems to be encoded so I can't tell if anything from Valicert is in
there.
Keychain Access program to manipulate them. You can remove the invalid
CAs from there.
Thanks for the reply. Can I backup just one cert or do I have to backup
the entire file, ~/Library/Keychain/<my user name>? Doesn't seem to be
any way to break out the individual certs.
--Fred
.
- References:
- Re: ?10.4.5 email problem: Where are my X509 CA certs stored?
- From: void * clvrmnky()
- Re: ?10.4.5 email problem: Where are my X509 CA certs stored?
- Prev by Date: Re: Processor Upgrade
- Next by Date: Re: Intermittent No-Start Problems on B&W G3
- Previous by thread: Re: ?10.4.5 email problem: Where are my X509 CA certs stored?
- Next by thread: detached RAID array
- Index(es):
Relevant Pages
|
