[SmartcardServices-Users] Searching Directory Services for certificates in Lion

Mon Mar 5 05:26:02 PST 2012

I appreciate that, Shawn, but I can't help but feel if the system is bound to AD the setup script should make it Just Work for cached network accounts.   :)  Suffice to say it doesn't.  While I'm all for dropping Radar tickets, my experience with that has been, shall we say, not the best (it's a one-way information flow among other issues).

Basically, there seems to be a disconnect re: what Address Book does and Mail does.  Address Book seems fine, but when Mail goes to dereference addresses it won't pull the cert.  I need to be off VPN long enough to run some tests, but my current working theory is that Mail is expecting userSMIMECertificate to be populated, whereas Address Book looks for both userSMIMECertificate and userCertificate.

Lastly, does anyone know any plist majick to set a stronger default cipher suite for Mail to use?

-- T

On Mar 3, 2012, at 1:15 AM, Shawn Geddis wrote:

> Keep in mind that you need to have enabled this in Keychain Access by selecting the “Search directory services for certificates” and having the appropriate Directory Server configured via Directory Utility.  
> 
> If you have both KA & DU configured properly, you should file a bug and provide extensive profile/logging information.
> 
> Running the command line simply verifies the the system CAN locate a certificate, but be careful of the case sensitivity on the local part of the RFC822Name as we had noted so many times no this list.  If you are trying to encrypt a message to someone and you are entering their address using an alternate version of the address (ie. case variance) then Mail will not be able to locate and use the certificate.  
> 
>> Even searching the contact in the GAL displays the correct cert for the contact.
> 
> 
> What are you performing to do a search in the GAL, Address Book ?  dscl ?  using Outlook ?
> 
> - Shawn
> ________________________________________
> Shawn Geddis   
> Security Consulting Engineer 
> Apple Enterprise Division
> 
> On Feb 29, 2012, at 12:11 PM, Hoit, Daniel S. wrote:
>> Seeing the same issue here. Address book works fine, but Mail won't pull from DS. If the certs in the login keychain it works, but its not working from DS.
>> 
>> 	--DH
>> 
>> On Feb 16, 2012, at 10:30 AM, JEFFREY COMPTON wrote:
>>> Is anyone else having trouble with Mail.app in Lion searching directory services for certificates?
>>> 
>>> From command line - it works like a charm - for example --
>>> 
>>> security find-certificate -e mycoworker at ourdomain.org -p > downloadedcert.pem; security import downloadedcert.pem -k login.keychain
>>> 
>>> But from Mail.app - no go.
>>> 
>>> Even searching the contact in the GAL displays the correct cert for the contact.
>>> 
>>> Thanks.
> _______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users