[SmartcardServices-Users] two observed Snow Leopard anomalies relating to PKI/smartcard/certs

Reese, Brian, CTR, Fort Meade-IRM Brian.Reese.ctr at dma.mil
Tue Oct 4 13:02:31 PDT 2011 

If you're just interested in the intermediate DoD certs, there's an easier
way than manually adding and trusting all of them. Go into keychain access
and add /System/Library/Keychains/SystemCACertificates.keychain to your
list of keychains. This keychain contains all the DoD intermediate certs
and some other intermediate certs that don't show up in keychain access by
default.

-Brian

On 10/4/11 3:54 PM, "Suzanne Stevens, Contractor, Code 5595"
<suzanne.stevens.ctr at nrl.navy.mil> wrote:

>A coworker and myself also experienced trouble with trusting certificates
>in Snow Leopard.  The trust action would not succeed in Keychain Access
>and SSL stopped working elsewhere until I rebooted.  It seemed to happen
>only when my smart card (CAC) was in its reader.  Without the card in the
>reader, trusting certificates worked fine.  My coworker was also able to
>trust a certificate successfully after removing his CAC.
>
>I'm running Lion now and don't see the same behavior.  I trusted and
>untrusted a few times without any hanging or general messing up of my
>machine.
>
>-Suzanne
>
>
>On Oct 4, 2011, at 3:22 PM, David Emery wrote:
>
>> This should not be construed as a complaint (or a bug report), I'm
>>still trying to understand these (operating system is Snow Leopard fully
>>patched):
>> 
>> 1.  With PKard 1.1 installed, it seems that I cannot log onto my
>>account if it's FileVault protected.  I get something like 'account not
>>available'.  Removing the card and rebooting fixes that problem.
>> 
>> 2.  In Mail.app, if I get an email from someone whose Cert depends on a
>>DoD Intermediate Cert that is not loaded in Keychain.app (e.g. CA-25),
>>the message is marked as 'not trusted'.  If I click on that box and tell
>>Mail "always trust this cert", both Mail.app and Keychain.app hang.
>>This generally messes up the machine sufficiently that a reboot is
>>necessary.
>> 
>> Has anyone else observed these?
>> 
>> 		dave  
>> 
>> _______________________________________________
>> SmartcardServices-Users mailing list
>> SmartcardServices-Users at lists.macosforge.org
>> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users
>
>_______________________________________________
>SmartcardServices-Users mailing list
>SmartcardServices-Users at lists.macosforge.org
>http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users

More information about the SmartcardServices-Users mailing list