Certificates in my Keychain

At 11:16 PM +0200 2/5/07, jacks_email wrote:
>Like originating in Cape Town, ZA (wherever that is).

Like, maybe, from Thawte?

At one time the world's second largest certification authority, next to
Verisign. That's why Verisign bought them in 1999, making the owner, Mark
Shuttleworth, South Africa's (ZA) first actual dollar billionaire after a
little more dot-bubble stock-appreciation madness. Not bad from a startup
out of college in the proverbial parent's garage.

He then turned around and bought himself the second commercial trip to the
space station, and is currently fronting the Ubuntu project, speaking of
Firefox, etc.

Cheers,
RAH

--
-----------------
R. A. Hettinga <mailto: rahibuc.com>

On 02/06/07, jacks_email wrote:

>Bottom line--what's a certificate, and what's it doing in my Keychain bank?

Keychain Access->Help->Certificates has a lot information on them. You can
unlock the lock and delete anyone of them.

At 11:16 PM +0200 2007/02/05, jacks_email wrote:
>Hi. I was cleaning out my keychain passwords, and I noticed I had
>several 'certificates' from places I've never heard of. Like
>originating in Cape Town, ZA (wherever that is). I don't usually buy
>anything except from Amazon.
>
>Two or so months ago I stopped using Safari and went full time to
>Firefox. I never noticed certificates during the years before when I
>only used Safari.
>
>Bottom line--what's a certificate, and what's it doing in my
>Keychain bank? Is is permission for some company in Cape Town, ZA to
>put a cookie of sorts on my computer? If I have certificate in my
>keychain, does that mean that my computer's at risk? Or is it simply
>a suitcase sticker of sorts, and isn't risky at all. I'm only
>alarmed in that I thought I was the ONLY person who could add to my
>keychains, but Cape Town did a few and I didn't realize it.
>
>Thanks for all the future comments.

        Was it Thawte?

        Every SSL site you go to (that isn't using a self-signed
certificate) is signed by a certificate from a Certification
Authority. VeriSign is the most famous, and they have since bought
Thawte and GeoTrust and probably others.

        All SSL-enabled browsers ship with a 'bundle' of default SSL
certificates, and sites signed by those certificates get the "secure"
lock icon in your web browser. This is how Safari/Firefox/IE knows to
trust Amazon, your bank, etc.

        Since Safari and Mail.app are integrated into the system (Web
Kit, Keychain, etc.), they use certificates from the Apple Keychain.
Firefox is not integrated, and has its own cert store.

        The standard bundled certs normally live in a system
keychain, not your personal keychain, and should generally not be
deleted, although if you don't use Safari or Mail.app for SSL it
might not matter. If you browse through the Firefox preferences, you
should be able to find a similar bundle of certs.


                                                Chris
--
Chris Pepper: <http://www.reppep.com/~pepper/>
                             <http://www.extrapepperoni.com/>
Rockefeller University: <http://www.rockefeller.edu/>

At 2007-02-05 23:34 -0800 John Baltutis wrote:

>On 02/06/07, jacks_email wrote:
>
>>Bottom line--what's a certificate, and what's it doing in my Keychain bank?
>
>Keychain Access->Help->Certificates has a lot information on them

John - or anyone else who knows - is there some sort of problem in
Safari with installing certificates? I received a certificate from
the guru of a site where I've been setting up a MySQL database. He
gave the the certificate he issued so I could have secure access
using phpMyAdmin. I followed all the instructions I could find
relating to certificates, keychain, Safari, etc and put it where
suggested - but I still get a warning message every time I go to his
server. Maybe it's something that has been addressed in newer
versions; I'm on OS X 10.3.9, Safari 1.3.2, Keychain Access 3.1.4. I
can't remember if I tried another browser - I think Opera or Firefox
might have been happy with it, but I do prefer to stick with Safari
if I can.

regards

Rowland
--
| Wilma & Rowland Carson http://home.clara.net/rowil/
| <rowilclara.net> ... that's Rowland with a 'w' ...

On Feb 6, 2007, at 21:06 PM, Rowland & Wilma Carson wrote:

> John - or anyone else who knows - is there some sort of problem in
> Safari with installing certificates? ... I still get a warning
> message every time I go to his server.

What warning message?

Without knowing what the message is, my guess would be that he
provided you with either a self-signed certificate or a certificate
issued by a certificate authority (CA) whose certificate you do not
have.

Digital certificates establish trust in a hierarchy. To verify a
given certificate you must be able to verify a certificate for the
issuer of that certificate, and for the issuer of the issuer, etc.,
until you reach a “root” certificate that you implicitly trust.

Mac OS X comes with a set of root certificates for popular
certificate issuers, e.g. VeriSign, enabling you to verify any
certificate that refers to them. If a website has a certificate that
was issued by a CA not in that list, you'll need to get a copy of the
certificate for the CA and put it in the list of root certificates in
your keychain. They're normally located in the “X509Anchors” keychain.

It's also possible the website uses a “self-signed” certificate. This
is a certificate that is its own root certificate and is not issued
by any CA. If someone gives you their self-signed certificate, you
implicitly trust it as much as you trust that person is who they say
they are and that the certificate they gave you is the correct one.

Whether or not a self-signed certificate is trusted by a given piece
of software depends on that software and whether it gives you some
means for telling it whether to trust the certificate. There is some
built-in support in Mac OS X for indicating whether you trust a given
certificate (self-signed or not) and recent versions of Safari in
particular have an “always trust this certificate” checkbox that it
displays if you encounter an SSL certificate it cannot verify on its
own.

--
Chris Page - Moderate Moderate

   Moderation in all things. This includes moderation.

On Feb 7, 2007, at 10:56 AM, Chris Page wrote:

> Whether or not a self-signed certificate is trusted by a given piece
> of software depends on that software and whether it gives you some
> means for telling it whether to trust the certificate. There is some
> built-in support in Mac OS X for indicating whether you trust a given
> certificate (self-signed or not) and recent versions of Safari in
> particular have an “always trust this certificate” checkbox that it
> displays if you encounter an SSL certificate it cannot verify on its
> own.

However, Safari has ignored my best attempts to tell it to allow our
self-signed certificates (used only in-house). I've given up and
just click through each time I go to our pages the first time after
starting Safari.

   --John

On Thu, February 8, 2007 07:46, johnbaxterlistsmac.com wrote:

> However, Safari has ignored my best attempts to tell it to allow our
> self-signed certificates (used only in-house). I've given up and
> just click through each time I go to our pages the first time after
> starting Safari.

I managed to get this to work after a bit of fiddling, a couple of
pointers that might help (apologies if you've been round these loops
already).

1) The certificate that you have to add is not the web site's certificate
but the certificate that you use to sign it (Safari is trying to match
this to it's list of Certifying Authority's). To create and sign my
certificates I followed the instructions here:

http://developer.apple.com/server/security_ssl.html

As it is mainly command line, I should imagine it works under 10.4 as well
as 10.3?

2) I used the .pem file, which was generated when creating a certificate
for a signing authority, this must be added to the 'x509 Anchors' keychain
on the computers that you wish to recognise it. I seem to remember (it
was a little while ago) I did this simply by double clicking on the file
in the finder, this then gives an option as to which keychain to add it
to, I think 'x509 Anchors' was the default.

3) Should you want to install it as a recognised certifying authority
under Windows you simply have to change the file extension from .pem to
.cer which Windows then recognises as a certificate, double clicking on
this file, should bring up a wizard to import it into Internet Explorer.

It can also be worth extending the length of validity so that you don't
have to try and remember how to do it all again in 12 months time!

Regards,

Patrick,

--
Patrick Keene,
pmhkpmhk.co.uk

On Feb 8, 2007, at 9:29 AM, Patrick Keene wrote:

> I managed to get this to work after a bit of fiddling, a couple of
> pointers that might help (apologies if you've been round these loops
> already).
>
> 1) The certificate that you have to add is not the web site's
> certificate
> but the certificate that you use to sign it (Safari is trying to match
> this to it's list of Certifying Authority's). To create and sign my
> certificates I followed the instructions here:

I haven't tried to add our authority to Safari's list. By best
efforts I meant clicking the "always trust this certificate" option,
which Safari studiously ignores (why is it there).

Actually adding the needed certificate is more trouble than it's
worth, to me, even though I have access to it.

   --John