Please share additional tips for setting up secure mail on Mac OS X.
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 82 of 82.

• mail aliases
  2007-06-29 22:20:37  nards [Reply | View]
  
  
  Hi! Thanks for writing this great article. It has been very helpful. There's just one thing I haven't managed to get to work. I was wondering if you have any ideas on this.
  
  I use an email alias, and my mail is configured to let me choose whether to send email from the alias or the account it directs mail to (lets call it main account). When I select the main account I am able to sign and encrypt messages, but when I select the alias, I can't. I have certificates for both in my keychain, but only one shows up in the "My certificates" category, the one that works fine. Is there a way to make the "alias" email send encrypted messages?
  
  Thanks again for the wonderful article. I'd tried to sign/encrypt messages many times and never understood how to do it until I ran into your article.
• mail aliases
  2009-02-05 16:31:07  Lailoken [Reply | View]
  
  
  When the certificate is issued on the issuer's site (Thawte for instance) you need to select/verify/create e-mail addresses that your certificate will certify. Here you can add your aliases.

• Firefox Certificate Manager
  2007-04-12 06:47:07  jasonedwards [Reply | View]
  
  
  I am new to this, please forgive me if this is a bad question.
  
  What is the purpose of leaving the certificate in the Firefox Manager? I exported the certificate, saved it in a secure external drive and imported it to my keychain. Do I need to keep the certificate in Firefox for any reason or can I delete it?
  
  Jay

• Duplicate Certificates in Keychain
  2007-04-12 06:41:27  jasonedwards [Reply | View]
  
  
  I requested, received and installed the Thawte Certificate as per the instructions of the article. After I exported the certificate from Firefox I imported it to a separate keychain (B). My default login keychain is called (A). Everything seems to work except...
  
  I have 2 certificate in keychain A... although I imported the certificate to keychain B.
  
  Keychain A (defualt) contains:
  1) jasonedwards@myemail.com certificate
  2) Thawte Personal Freemail Issuing CA expires 2013
  
  Keychain B (the one I imported cert to) contains:
  1) jasonedwards@myemail.com certificate (duplicate from A)
  2) Thawte Personal Freemail Issuing CA expires 2013 (duplicate from A)
  3) Thawte Personal Freemail CA expires 2020
  
  My questions are...
  Why do I have anything in A if I imported the cert to B?
  Can I delete the certificates from A?
  What are the differences/uses for the 3 different Certificates?
  
  Thanks for the time,
  
  Jay
  
  
  
  
• Duplicate Certificates in Keychain
  2007-04-12 07:53:47  jasonedwards [Reply | View]
  
  
  Ok so I am replying to my own question...
  
  I think this happened because I sent myself a test message which then imported my public certificate info into my default keychain.
  
  This brings me to one more question...
  Is it ok to have all your public certificates stored in one keychain and have your private certificate and key stored in another?

• Mail security icons inoperable
  2006-03-10 10:38:34  Daniel_Possin [Reply | View]
  
  
  Hi -
  
  I recently used your instructions to obtain a personal certificate from Thawte. I believe I've installed it correctly - it appears in my keychain etc. and, when I attempt to create a new signed message the appropriate icons appear but are inactive for some reason. I've tried obtaining new certificates using Firebird and Safari 2.0.3; I've checked my keychain with First Aid, and I've specified that the Mail program has permission to use the keychain certificates. Nothing has worked. I'm probably just doing something stupid, but canpt figure out what.
  
  Thanks for listening to my lament. I look forward to your reply.
  
  Dan
• Mail security icons inoperable
  2006-08-26 11:41:29  PCheese [Reply | View]
  
  
  Do you have multiple accounts in Mail? Remember, the certificate is only valid for a specific email address. If the Accounts popup shows an email address other than the one that corresponds to the certificate, you will not be able to sign the email. Of course, you can log in to the Thawte website, add a new email address, and get a new certificate for it so you can sign email from each of your accounts.
• Mail security icons inoperable
  2006-03-10 11:54:25  FJ de Kermadec | [Reply | View]
  
  
  Daniel,
  
  First of all, thanks for taking the time to post. I am sorry to hear you are having issues with your certificate setup.
  
  That is indeed a most interesting symptom and one I confess I have never been confronted to. The first thing I would recommend doing is to ensure that the address for which the certificates have been issued exactly matches your email address. Indeed, a discrepancy would prevent the process from taking place normally.
  
  Also, just "for kicks", so to speak, you may want to momentarily move your login keychain out of your Keychain folder, then use Keychain First Aid to recreate a fresh one and try again. Should it solve your issue, chances are it was corrupted in a way that wasn't detectable at first sight (it happens). Should it not, just quit Keychain Access, delete the fresh Login keychain, replace it by your old one again and run Keychain First Aid one last time to smooth things back.
  
  FJ

• 2006 - new issues
  2006-02-16 00:27:28  Vicjoe [Reply | View]
  
  
  Now that it has been revealed that the US Gov't broadly surveilles communications, particularly if they cross a border in or out of the USA, I have one question:
  
  Does the US Government have the "master keys" or equivalent means of reading and or altering an encrypted e-mail message using the Thawte or other certification 3rd parties?
  
  Thanks, I keenly await your reply.
• 2006 - New issues
  2006-02-16 01:39:38  FJ de Kermadec | [Reply | View]
  
  
  Hi!
  
  First of all, thank you very much for taking the time to write, I really do appreciate it!
  
  Whether or not some entity you deem dangerous holds the keys to decrypt your message will largely depend on the certificate authority you rely on to generate them. Indeed, as this entity provides you with both your private and public key, there is always a chance they may choose or be required by law to keep a copy of your keys.
  
  I invite you to look up the license agreement of the authority you rely on and/or to contact them directly and ask this question. Indeed, as the pattern of laws varies greatly from state to state, country to country and depending on the chosen level of encryption, it is difficult for me to provide you with a general answer.
  
  As a ground rule however, email encryption will not stop any government or determined individual from knowing what you are talking about. The questions are more along the lines of how fast they can retrieve the information and how determined they would be to do so.
  
  FJ

• Updates
  2005-10-09 18:02:34  friendship1 [Reply | View]
  
  
  Excellent Article. I am wondering if there have been any changes/updates to OS X, Mail, Safari, etc that need to be addressed. Additionally, there was an assumption that Mac users would use Thawte. Why and what other CA are there?
• Updates
  2005-10-10 02:51:28  FJ de Kermadec | [Reply | View]
  
  
  Hi!
  
  First of all, thank you very much for your kind words and for taking the time to post, I really do appreciate it!
  
  Yes, there are a few updates but minor: now that Keychain Access allows users to export keychains and certificates, it may be less important to use Firefox in order to retrieve the certificates and keep a copy of the files in Netscape format. I would however still recommend that route, as it is time-tested and the only reliable way to keep a backup that would allow you to start from scratch.
  
  Thawte was at the time very popular for issuing free valid certificates for personal e-mail use, making them an approachable solution. Relying on their services is of course not an obligation and other CAs do exist that will provide you with the files and warranties you need, although you may need to pay for an equivalent service.
  
  As there are as many legal systems and restrictions concerning the use of certificates in various countries around the world as there are baguettes in a French bakery on a Sunday morning, I cannot really recommend someone in particular. I would suggest that you ask a local computer group, your system administrator at work or visit the Apple Discussions. In some countries, advice from a solicitor is also required.
  
  FJ

• Potential unsecure issue
  2005-09-12 11:15:14  scott.gardner [Reply | View]
  
  
  I did a quick test to ensure the security of my email communication, as follows:
  
  1. I sent an email from my digital-certificate signed email account (...@mac.com) to an alternate non-signed email account (...@yahoo.com), with the message body "asdf."
  2. In my yahoo account, I redirected this email to a 3rd alternate non-signed email account (...@gmail.com), adding this text to the message body: jkl;
  3. In my gmail account I received the redirected email with the altered message body, yet still showing signed by ...@mac.com
  
  It appears to me that this digital signature is not accurate, because the message was altered by the recipient and then re-directed to another email.
  
  I've emailed Thawte a couple times and they haven't responded.

• Little confused about multiple computers and same email
  2005-09-02 18:12:15  jehrler [Reply | View]
  
  
  Well, I followed the tutorial and got some certs and that is working fine.
  
  But, my wife and I share access to some emails (like sales! ones) and I want both of us to be able to sign and encrypt off the same email address off each of our computers
  
  I created the cert using my main email address for sales and thought I could just copy the cert over to my wife's keychain for her to use it when she sends email from that same email account.
  
  Doesn't work.
• Little confused about multiple computers and same email
  2005-09-03 03:02:03  FJ de Kermadec | [Reply | View]
  
  
  Hi!
  
  First of all, thank you very much for taking the time to post here! :^)
  
  Certificates are linked to your e-mail address and, therefore, should work on multiple machines — although doing so increases the risk that your private key will be compromised.
  
  However, in order to install the certificate on a second computer, you will need to copy the file you downloaded by using Firefox (the one you import in your Keychain) and not something that already is in your Keychain as doing so is likely to leave elements behind. Maybe one of the keys or certificates got lost in the transfer?
  
  FJ

• works with safari 1.2
  2005-02-14 10:42:39  sammyjjr [Reply | View]
  
  
  Thanks for the informative and detailed article. It seems that now one can use safari. I used thawte and safari to get the certificates. Certificates were automatically put into my keychain. I created a seperate keychain for my private certificate and dragged it there. I had some problem getting mail to recognize that I had a certificate so I temperarily allowed all aplications to access the certificates which seemed to do the trick. The process of acquiring a certificate is also documented in Mail Help to some extent.
  Best regards.
  sammyjjr
• works with safari 1.2
  2005-02-14 10:46:39  FJ de Kermadec | [Reply | View]
  
  
  Hi!
  
  First of all, thank you very much for taking the time to write and for your kind words, I really do appreciate them! :^)
  
  Yes, one can use Safari to download the certificates and install them in one step. Unfortunately, with the current Keychain/Safari combination, there is no way (that I am aware of at least) to backup your certificates and to extract them to transfer them onto another system if you decide to use this method. This is why, despite the recent Safari update, I would still advise to use Firefox to perform the certificate generation and downloading steps.
  
  Truly yours,
  FJ
• works with safari 1.2
  2005-02-14 11:37:33  sammyjjr [Reply | View]
  
  
  Thanks for the reply. Keychains are transferable to other systems. Should I not be able to transfer the keychain with the certificates to another computer runnings osx at least?
  best regards
  sammyjjr
• works with safari 1.2
  2005-02-14 12:13:21  FJ de Kermadec | [Reply | View]
  
  
  Hi again!
  
  You're most welcome! :^)
  
  Yes, you should be able to transfer the keychain to another Mac OS X machine.
  
  The main problem with not having a re-importable copy of the certificate is that, should your keychain be corrupted or damaged (it unfortunately happens), you would have no way to get they keys back out into a workable setup. Should you only use your keys to sign your mail, this is of no real importance but should you use them to also encrypt mail, this means that you may never be able to decrypt these messages again. Of course, it is an unlikely situation but I have seen it happening (for reasons way beyond the control of the Keychain development team) and it could be an issue depending on the type of mails you exchange.
  
  Truly yours,
  FJ

• LIFESAVER!!
  2005-01-31 13:52:51  chels120 [Reply | View]
  
  
  HI, I'm a student at the University of Florida and I am currently enrolled in a computers for business majors course. I am apparently the minority in that class due to my powerbook. Seems I am one of the only students with a Mac and therefore I am faced with many hurdles to overcome to successfully complete the course. I have to say, that if it wasn't for your step-by-step article, I would have been a fish out of water in my class. You have saved my project and my grade! Just wanted to say thank you!
  Sincerely,
  A Struggling Mac-lover
• LIFESAVER!!
  2005-01-31 14:05:15  FJ de Kermadec | [Reply | View]
  
  
  Hi!
  
  I am glad to hear that you found the article of help!
  
  Thank you very much for taking the time to write and for your kind words, I really do appreciate them!
  
  Congratulations on your project and grade! :^)
  
  FJ

• Can't get Mail to sign...
  2004-10-18 10:23:22  RogerAlexander [Reply | View]
  
  
  I've managed to successfully obtain a Thawte certificate and keys for my email address. However, when I send a new message, I do not get the button for signing. Yes, I am sure that the email address for my account (only have one) and for the certificate are the same text and in the same case. I'm at a loss as what to do here? Any help would be greatly appreciated.
  
  Suggestions?

• Thankyou very much
  2004-10-15 00:14:05  Clytie [Reply | View]
  
  
  Thankyou very much for your article, which I found very informative, and easy to follow. I had just set up GnuPG, to work with Mail among other things (via GPGMail), and the first person with whom I wanted to test this, turned out to be using the S/MIME protocol instead.
  
  I now have both working, although I think S/MIME integrates better with Mail, since it is using its existing capability. You only have a couple of unobtrusive, small boxes at the upper-right of the window, rather than a whole bar across it. However, since both protocols will be in comparatively common use, I'm probably better off with both, than with only one.
  
  Your article helped me to avoid the difficulties I would have had by using my current browsers (OmniWeb 5 and Safari) since they do not appear to have the certificate management capability temporarily required (although otherwise excellent). You made a rather complex and confusing process much easier to understand, and highlighted capabilities within Mail and OSX which I had evidently underused.
  
  The postcard image is powerful: email seems so private, straight from me to you, almost instant. But in fact it is extremely public, and the sooner we become more aware of that, the more chance we have of protecting our own privacy.
  
  Is there any likelihood that Apple will make the certificate-gaining process more transparent, more part of the OS? As a preference in Mail, for example, once you had enabled it in the Security prefs, it would be much more widely used.
  
  Thankyou again
  
  from Clytie
• You're very welcome
  2004-10-15 00:36:00  FJ de Kermadec | [Reply | View]
  
  
  Hi!
  
  First of all, thank you very much for taking the time to post and for your kind words, I really do appreciate them! :-)
  
  Being able to understand and use both systems (GNU and S/MIME) will indeed be of help and help you greatly you for your future exchanges.
  
  While I of course have no insider knowledge about what happens at Apple, I would think that issuing certificates is so heavily linked to country-specific legal issues that implementing such a feature would be relatively difficult. This is of course just a thought and (who knows), a system similar to the one you describe might be in the works...
  
  Truly yours,
  F.J.

• multiple macs?
  2004-09-15 18:13:45  jay o'frasca [Reply | View]
  
  
  hi -
  
  thanks for the great article.
  
  I have an imac and a powerbook... can i simply copy the certificates from my imac and put them into a keychain on my powerbook?
  
  or is there a smarter more secure way for having multiple macs using the same certificates?
• Multiple macs?
  2004-09-15 21:21:45  FJ de Kermadec | [Reply | View]
  
  
  Hi!
  
  First of all, thank you very much for taking the time to post! :-)
  
  The easiest and most secure way would be to copy the Firefox export file you created between your Macs and then to re-import it into your various keychains.
  
  Let me know if this helps!
  
  F.J.

• how can i get my key pair from thawte again?
  2004-09-05 18:39:18  jonmcauliffe [Reply | View]
  
  
  in the process of moving thawte-related keychain items to a new keychain, my private and public keys got deleted. how i can
  i retrieve them from thawte?
  
• how can i get my key pair from thawte again?
  2004-09-05 21:36:58  FJ de Kermadec | [Reply | View]
  
  
  Hi!
  
  Would you have accidentally deleted your key pairs, I am afraid that there is no way to get it back from Thawte. Indeed, for security reasons, they only allow keys to be downloaded once.
  
  You can however use your backup file from Firefox to re-import them into the Keychain.
  
  Would you no longer have this file, you may have to revoke your existing certificates and get new ones. Just keep in mind that this may prevent you from opening any encrypted mails you may have in your mailboxes.
  
  Let me know if this helps!
  
  F.J.

• Can't get it to work
  2004-07-18 05:26:38  ShaunO [Reply | View]
  
  
  I think I have the certificate from thawte, but mail refuses to sign. I've checked the mail address in the certificate matches the account but no joy. Any suggestions?
• Can't get it to work
  2004-07-19 11:51:42  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  First of all, thank you very much for taking the time to post, I really do appreciate it ! :-)
  
  Would you be entirely sure that the e-mail address used on the certificate is the address of the account you are trying to use to send a signed mail, you may want to make sure that you have both keys and the CA certificate in your keychain. Indeed, would you only have one of the pieces, Mail won't be able to use them.
  
  Also, you may want to use the "Keychain First Aid" utility, built into the "Keychain Access" utility to make sure that your keychain is not damaged.
  
  Let me know if this helps !
  
  F.J.

• Entourage
  2004-03-17 12:04:03  paolob [Reply | View]
  
  
  Does anybody know if i can use S/MIME and certificate also with Entourage or just with Mail? Thank you

• Safari 1.2 works just fine
  2004-03-04 18:19:30  slightly99 [Reply | View]
  
  
  There's no need to go through the Mozilla Fire(fox) procedure - you can request your certificate through Safari 1.2 in Panther, and once you receive the email indicating that it's ready, click on the link in the mail, and the browser will export the certificate automatically to Keychain. You can then set up your separate "Certificates" keychain as the rest of the article instructs.
  
  
• Safari 1.2 works just fine
  2004-03-05 00:52:28  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  First of all, thank you very much for taking the time to send me your feedback, I really do appreciate it !
  
  I am aware of the changes to the process and of the new Safari update. Unfortunately, I cannot update the article myself and only my editor can access the published pages.
  
  Thanks again !
  
  F.J.

• attachments don't work
  2004-02-20 17:24:31  jesushouston [Reply | View]
  
  
  I had no trouble setting up the certificates and sending encrypted emails, but whenever I attach jpgs or other files my friends tell me they can't read them. I then have to resend the attachments, turning off the encryption. I am using OS 10.3.2
• Attachments don't work
  2004-02-21 09:12:01  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  Ooops !
  
  You should not experience issues while sending attachments with encrypted mails. However, some e-mail applications sometimes handle encryption in a slightly non-standard way and may experience issues when receiving files from other clients.
  
  Of course, it is difficult to give you a very precise answer without having a look at the installations on both ends... May I suggest that you make sure that both you and your friends use the latest versions of your e-mail clients ? Also, they may want to try alternative e-mail applications like Mozilla Thunderbird -- even temporarily, as a test, to isolate the issue.
  
  Would you still be unable to send encrypted attachments, may I suggest that you post on the Apple Discussions ? That way, many experienced Mail users will be able to help you...
  
  Let me know if this helps !
  
  F.J.

• Moving Certs From Windows To Mac
  2004-02-08 21:14:37  macthemes [Reply | View]
  
  
  I have a cert on my Windows machine, that I want to move over to my Mac. When I exported the cert, and then imported it in Keychain Access, I got my cert and my private key, but no public key. Apparently Mail won't let me sign things without a public key to go with the private key and the cert.
  
  a) is there some way to extract the public key from the cert and add it to my keychain?
  
  b) is there some way I can export my public key directly on the windows side and import it?
  
  c) am I completely off base here?
  
  Also, how does one use the "export" command in the file menu of keychain access to move keys/certs from one Mac to another?
• Moving Certs From Windows To Mac
  2004-02-09 09:39:43  macthemes [Reply | View]
  
  
  It actually appears that it may be due to a difference between my Verisign Cert and my Thawte cert. My Thawte cert works fine, my Verisign Cert doesn't. I've checked the case sensitivity issue. Is there a certain extension to the cert that Mail requires for it to function?

• Can't get Keychain Access to accept Backup
  2004-01-30 12:25:17  khirt [Reply | View]
  
  
  Everything worked perfect until I tried to get the Backup to load. Info shows the file is Adobe Reader Digital ID File. If I force Keychain Access to open the file, Keychain Access launches but nothing happens. I am running OS 10.2.8 on a PowerBook G4. Any help would be appreciated.
• Can't get Keychain Access to accept Backup
  2004-01-31 02:40:51  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  That's interesting indeed !
  
  Unfortunately, I do not use the Adobe application you name and, therefore, cannot give you detailed information about the interaction that may exist between it and the Keychain...
  
  The first thing to do would be to create a new backup file from Mozilla Firebird in order to make sure that the one you are using is not corrupted in any way. Then, try to open it in the keychain by using different methods : double-click, drag-and-drop, changing the default application in the "Get Info" window"... Indeed, these methods usually lead to slightly different results.
  
  Also, S/MIME functionality has been added to Mail in Mac OS X v. 10.3 Panther. It is possible that Mac OS X v. 10.2 Jaguar handles such files differently.
  
  Let me know if this helps,
  
  F.J.
• Can't get Keychain Access to accept Backup
  2004-01-31 04:17:36  khirt [Reply | View]
  
  
  Double-clicking the new backup file now launches Keychain Access, but that is all. I never get asked where to import it or any other indication that the keychain contains my private key. Drag-and-drop to an open KA window gets rejected, and I am never asked for the password created for the backup file using any method. I am running Keychain Access 3.0, and the backup file was creaed by Firebird 0.8.0+.
• Can't get Keychain Access to accept Backup
  2004-01-31 06:51:14  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  The "Keychain Access" application included with Panther is version 3.1... There may be a difference between the Jaguar and Panther versions ?
  
  May I suggest that you post in the "Jaguar" forums of the Apple Discussions ? That way, more Jaguar users will be able to help you troubleshoot this issue...
  
  F.J.

• Difficulty Installing Thawte Certificate in Netscape
  2004-01-30 09:43:43  inetwsnet [Reply | View]
  
  
  I attempted to install a certificate in both the most current Netscape and Firebird on two Macintoshes one running 10.2.8 and the other 10.3.2. Both times clicking on the install link at Thawte does nothing. Trying it in Safari for the heck of it downloads an exe file to the desktop. I checked in the certificate manager in Netscape/Firebird and no certs are installed. Any help would be greatly appreciated since I am writing an article about this.
• Difficulty Installing Thawte Certificate in Netscape
  2004-01-31 02:43:41  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  Would you not be able to use the certificate manager in Firebird, you may want to look for preferences settings that may prevent the certificate from being uploaded — no Java, no JavaScript, no cookies...
  
  Also, you may want to clean-install one of these browsers on one of your computers in order to make sure that no corrupted component could prevent them from working normally.
  
  Let me know if this helps,
  
  F.J.

• Allow Mail to use certificate
  2004-01-28 23:07:20  maximus [Reply | View]
  
  
  In Keychain you may still have the settings so to ask for password in order to use the certificate AND not having to confirm the use of the certificate for Mail.
  
  Having to confirm Mail to use the certificate each time (without password) is just a nuisance that does not add to security. The way to avoid that is to Add Mail to the Access Control of the certificate so that Mail can use it if you have unlocked and provided the password.
  
  All other applications will have instead to have the password reissued if want to use the certificate.
  
  PS
  Again, unless you have set the keychain so to have to issue the password for every signed email there is no added security in confirming Mail to send signed mail. It would be meaningful if denying access would send a regular email but it is not the case: it sends what your recipient would take as a *tampered* email.
• Allow Mail to use certificate
  2004-01-29 00:39:33  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  Having Mail ask for a password every time that you send a signed mail will prevent people who could gain local access to an open session from sending a signed mail — a coworker, for example.
  
  Having Mail ask for a confirmation (without password) every time that you send a signed mail will at least prevent automated scripts (AppleScripts for example) from sending a signed mail without your consent.
  
  That's why I suggested these settings in the article.
  
  F.J.
• Allow Mail to use certificate
  2004-01-31 04:59:38  maximus [Reply | View]
  
  
  The first point is how I have set it.
  
  Honestly, I did not think about the automated script of your second point. Right on. It is less than a nuisance now as it indeed adds to security - which I missed before.
  
  Thanks

• Master Password for Software Security device?
  2004-01-23 15:17:34  ftwilson [Reply | View]
  
  
  Hello-
  
  Running Firebird, I can't get past the step below:
  
  " The window that appears will show you all your key pairs. Select the one you want to export and click on "Backup." This will tell Mozilla to package the pair into an (encrypted) file and to save a copy of it somewhere where you can access it directly.
  
  Give the backup file a name and save it onto the Desktop. Then pick a password for it. The password can be weaker than the others -- but not too weak, of course. You do not need to write it down, but simply to remember it for 2 minutes. "
  
  I when I try to save the backup file, I get a dialog box asking for the "Master Password for the Software Security device." What to do?
  
  Thanks!
• Master Password for Software Security device?
  2006-01-19 21:50:15  birds [Reply | View]
  
  
• Master Password for Software Security device?
  2004-01-23 15:22:27  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  Don't worry ! This should be easy to bypass !
  
  When you first launched the certificate creation process, Mozilla must have asked you for a password for the certificates manager.
  
  This is the exact same password : it tells Mozilla that you are allowed to extract the certificate.
  
  F.J.

• A flaw in the keychain process?
  2004-01-23 12:35:23  mhelbing [Reply | View]
  
  
  Following the instructions in the article for setting up a new keychain for managing S/MIME private keys, everything worked great for sending mail: every time I tried to send an encrypted message I was prompted for my keychain password. However, once Mail.app prompted me for my keychain password to *decrypt* an encrypted message, the message remained unencrypted on subsequent viewings, even after quitting Mail.app and restarting it.
• A flaw in the keychain process?
  2004-01-23 13:15:54  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  In order to decrypt someone's message, you need his public key. This element is automatically stored by Mail in your login keychain.
  
  The fact that Mail is unable to decrypt the message may indicate that this public key is missing or has become corrupted. You may want to ask the sender to send you a signed message and to read it (even if it is blank).
  
  That way, Mail will re-import the certificate and should be able to display the encrypted message correctly. For additional security, remove the old public key from the Keychain first.
  
  F.J.
• A flaw in the keychain process?
  2004-01-23 15:00:24  mhelbing [Reply | View]
  
  
  Perhaps I am not making myself clear.
  
  1) I send myself an encrypted message. I must enter the keychain password to unlock my private key to encrypt the message. Perfect.
  
  2) I check my mail and view the encrypted message. Before decrypting, I must again enter my keychain password. Perfect.
  
  3) I select a non-encryped message. I can read it as expected, with no keychain prompt.
  
  4) I re-select the encrypted message. I am not prompted for my keychain password; the message is still decrypted. Not perfect. For this method to be secure, I would expect to enter my keychain password every time I view a message.
  
  5) I quit Mail.app. I re-start Mail.app. I select the encrypted message. I am not prompted for my keychain password; the message is still decrypted. Not perfect. I would expect that quitting Mail.app.
  
  6) I quit Mail.app and lock the keychain. Now when I re-open Mail.app and select the encrypted message I prompted for my password.
  
  Perhaps Mail.app caches decrypted messages until the keychain is locked.
• A flaw in the keychain process?
  2004-01-28 23:16:49  maximus [Reply | View]
  
  
  Did you try to set : "Ask for Keychain password" in addition to "Confirm before allowing access"
  
  What happens in what you describe is that Mail *knows* it is still you at the computer so it has no reason to ask again to decrypt unless - I suspect - you set the keychain to ask for the password each time. (that should cover your point 4)
  
  As a measure of security you should lock the keychain again if you leave the computer unattended (if that was ultimately your concern)
• A flaw in the keychain process?
  2004-02-25 14:28:42  nxnw [Reply | View]
  
  
  "As a measure of security you should lock the keychain again if you leave the computer unattended (if that was ultimately your concern)"
  
  That does not work.
  
  The original poster is correct. Even if you lock your keychain, a message remains unencrypted (even if you close the message, even if you close the message browser) until you quit mail.
  
  I think this is a design flaw.

• Certificate Not Showing Up
  2004-01-23 05:57:36  popezaphod [Reply | View]
  
  
  I created a certificate at work without any problems. However, on my home machine when I go to fetch the certificate and then go to the Certificate Manager, no personal certificate appears. I have tried both Firebird and Mozilla and neither one shows a personal certificate for me to export.
  
  (Granted, I can export it again at the office - I hope - and sneakernet it home, but I should be able to download it)
  
• Certificate Not Showing Up
  2004-01-23 06:09:26  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  You should indeed be able to export your certificate on your home Mac !
  
  The first thing to do would be to perform a few maintenance and optimization tasks in order to make sure that no minor disk error or permissions issue could prevent Mac OS X from running normally. In order to do so, follow these steps :
  
  • Boot from the Panther Install CD 1
  • Use the Installer menu in order to open the "Disk Utility"
  • Click on the "First Aid" tab and repair the hard drive
  • Restart your computer
  • Use the "Disk Utility" located in your "Utilities" folder to repair the permissions on the Mac OS X partition
  
  Then, you may want to clean-install Mozilla or reset the contents of your certificates manager. Indeed, it is possible that this component is corrupted and therefore unable to store certificates normally.
  
  Finally, make sure that nothing could prevent the browsers from processing the information normally — turning some features off, for example.
  
  Let me know if this helps !
  
  F.J.
• Certificate Not Showing Up
  2004-01-23 07:40:14  popezaphod [Reply | View]
  
  
  It's not showing up on my work machine anymore, either. It's like I can't fetch it a second time from anywhere.
• Certificate Not Showing Up
  2004-01-23 07:45:54  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  Would you not be able to download the certificate a second time, you may want to simply copy your Keychain — or the key pair — from your work machine. You will be able to import the file on your home machine.
  
  Your keychains are stored in :
  
  [Home] -> Library -> Keychains
  
  F.J.

• Certificate digital in Portugal
  2004-01-22 20:10:55  manuelsilva [Reply | View]
  
  
  Dear Sirs.
  
  I`m write from Portugal.
  The administration of justice and the lawyers for communicate used mail whit certificate digital.
  This certificate is from a company Portuguese (www.multicert.pt).
  I use a MAC for the work and after many, many, many ... hours in computer, in internet, in Apple Portugal, in ... my MAIL (10.3.2) not work whit the certificate -
  I not see the certificate in Mail.
  For me is very complicate make the process in Keychain Access.
  In Mozilla works fine.
  PLEASE, is possible envoy me a GRAB capture pass by pass of this part of article
  
  -Related Reading Therefore, we are going to create an additional keychain where we are only going to store our certificates. In order to do so, open the "Keychain access" utility, located in the "Utilities" folder. Then use the "File" menu to create a new Keychain. Give it a good name and click on create. The next step is to create a good keychain password. Again, this password is as
  only Here's a tip: use the Keychain Access "View" menu to select "Show status in Menu Bar." This will be handy later on. Now that the Keychain is created, minimize the "Keychain Access"
  Select the Keychain that you just created and click on "OK." The Keychain will now contain your private key and the associated certificates. Certificates contain no secrets and are made public when you send a signed mail. There is therefore no need to protect them better than what we have done. Your private key, however, is very important. To protect it even better, we are going to restrict access to it. To do so, click on it once and select "Access control" in the bottom half of the window. In the panel that appear, deselect "Allow all applications" and pick "Confirm before allowing access." Now, Mac OS X will prompt you for confirmation before allowing an application to access the private key, even when the Keychain is unlocked.
  unlock the keychain that contains your private key and certificates, although you can also do that on-the-fly while sending the mails. When you are done, use the menu again to lock the Keychain, greatly enhancing the security of your keys. Using Mail Now that we have gone through this lengthy process, we can go back to the typical Apple way of doing things. It's now time to fire up Mail and to click on the "New" button to create a blank mail. Mail will automatically detect that you are the proud owner of a certificate and display a button on the top right of the mail-composing window.
  
  Thanks
  
  Manuel Silva
  
  PS- Sorry, my English is horrible.
• Certificate digital in Portugal
  2004-01-23 01:00:43  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  Creating an additional keychain is optional... By following the instructions step-by-step, you should be able to create it and set it up...
  
  As mentioned in the article, you just have to double-click on the certificates backup file generated by Mozilla ( it should be stored on your desktop ) to import its contents. The dialog that will appear will allow you to pick in which Keychain you want to transfer its contents.
  
  F.J.
• Certificate digital in Portugal not work
  2004-01-25 08:34:28  manuelsilva [Reply | View]
  
  
  Sorry, not work in Mail. I see the certificate in Keychain, -certificate public, GTE CyberTrust Root, certificate of the Company portuguese and private key- but in Mail the aditional buton not appear.
  
  Thanks
  Manuel Silva
  
  PS -how put the smart card in 10.3. in Mozilla the process is simple.
  
  Manuel Silva
  
• Certificate digital in Portugal not work
  2004-01-25 08:33:53  manuelsilva [Reply | View]
  
  
  Sorry, not work in Mail. I see the certificate in Keychain, -certificate public, GTE CyberTrust Root, certificate of the Company portuguese and private key- but in Mail the aditional buton not appear.
  
  Thanks
  Manuel Silva
  
  PS -how put the smart card in 10.3. in Mozilla the process is simple.
  
  Manuel Silva
  
• Certificate digital in Portugal not work
  2004-01-25 09:23:05  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  Would you use a certificate from your own company or from a national company, you may need to add it to the list of certificates that Mac OS X trusts — it ships with a list of known certificates that can be expanded.
  
  You should find a link about how to do that in the talkbacks on this page. Note however that I have not tried it myself.
  
  About your smart card issues, may I suggest that you post on the Apple Discussions ? You will find lots of experienced users who will be able to help you in greater detail that we could here.
  
  F.J.

• Case sensitivity?
  2004-01-22 09:01:57  mhelbing [Reply | View]
  
  
  A friend just received his Thawte personal certificate yesterday (he is using Thuinderbird on some flavor of Windows). When he sends me an email, Panther's Mail.app recognizes that his message is signed, but I see a yellow bar that says something like "Cannot verify message." I verified my Keychain, and it did successfully import my friend's certificate. The only inconsistency I notice is that his certificate uses some capital letters, but the "from:" header of his email use all lowercase letters. Could this be the problem?
• Case sensitivity?
  2004-11-23 13:34:16  legacyb4 [Reply | View]
  
  
  Yes, case sensitivity seems to be an issue with verifying the signature in Mail. My outgoing work address on my Exchange server was set as UserName@domain.com and the certificate was registered to username@domain.com.
  
  While Outlook didn't seem to mind, Mail balked at wanting to verify the signature; after correcting the outgoing address to all small caps, Mail now shows no warnings.
• Case sensitivity?
  2004-01-22 09:34:11  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  This could indeed very well be the problem !
  
  You may want to suggest to your friend to either get a new certificate for an all lowercase version of the address or to change the settings of his Mail.app so that the address is entered in the exact same way than on the certificate, caps included.
  
  Let me know if this helps !
  
  F.J.
• Case sensitivity?
  2004-01-22 18:29:08  mhelbing [Reply | View]
  
  
  My friend changed the case of his email account settings to match the case of his email address in the certificate, and now all works fine.

• Does Mail.app import a PGP public key?
  2004-01-22 06:46:16  felipemacpress [Reply | View]
  
  
  Hi, I managed to get a certificate and use it with Mail, but a friend of mine uses GnuPG to sign his messages.
  Is it possible to import a public PGP key to my keychain so I can send him encrypted messages? Or does it only work with certificates like Thawte's?
• Does Mail.app import a PGP public key?
  2004-01-22 07:00:14  popezaphod [Reply | View]
  
  
  You can download and install GPGMail which incorporated GPG into Apple's Mail.app quite nicely:
  
  http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html
• Does Mail.app import a PGP public key?
  2004-01-22 06:56:18  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  Although PGP and S/MIME are both very effective systems, I am afraid that you would need to rely on a common technology to exchange certificates.
  
  Since S/MIME certificates can be imported in the Keychain so easily, your friend may want to get one too from the CA of his choice.
  
  Let me know if this helps !
  
  F.J.

• Run your own CA?
  2004-01-22 06:46:01  greenergrad [Reply | View]
  
  
  Is it possible to run your own CA if, say, you are in a university or corporate environment and want a good way to provide certificates to students or employees? Doesn't OS X include the open source tools necessary to do this? If so, how would they be used?
• Run your own CA?
  2004-01-22 06:53:35  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  It is indeed possible to run your very own CA by using some Mac OS X built-in tools. However, in that case, you really would need to set up high standards and a very reliable trust system — something that sometimes cannot be done easily.
  
  All the documentation that you need — much more than I could write in a Talkback — can be found on the ADC ( Apple Developer Connection ) web site for free.
  
  Let me know if this helps !
  
  F.J.
• Run your own CA?
  2004-01-22 07:11:00  greenergrad [Reply | View]
  
  
  Excellent. Thank you.

• Doesn't Work :-/
  2004-01-22 01:44:01  timb [Reply | View]
  
  
  I purchased a S/MIME certificate from GeoTrust, and followed your instructions for installing it from Firebird. Mail.app doesn't seem to see it, but the cert and key show up in the Keychain (Timothy Brown, GeoTrust as a CA, 2048-bit...)
  
  Any ideas?
  
  -Tim
• Doesn't Work :-/
  2004-01-22 01:48:51  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  Would you be sure that the certificate issued by GeoTrust uses the right format, you may want to check the following points :
  
  • Is the Keychain in which your certificate is stored really imported in the Keychain Access application ?
  • Is the certificate issued for the e-mail address that you are trying to use ?
  • Do the address printed on the certificate and the one used by Mail.app use use the same capitalization structure ?
  
  Let me know if this helps !
  
  F.J.
• Doesn't Work :-/
  2004-01-22 02:23:09  timb [Reply | View]
  
  
  I just have the the private key and cert in my login Keychain.
  So I have one item in the keychain called "Timothy Brown's GeoTrust Inc. ID" and for kind it says "private key, RSA, 2048-bit"
  
  Then I have another item called "Timothy Brown", Its common name is "Timothy Brown" and email is "sysop@timb.us" I checked these against whats in mail.app and it is correct...
  
  Everything appears to be correct..it just doesn't work.. I've tried it on my iBook as well, no go.. :-/
  
  The sad thing is I payed $20 for this cert.. (The GeoTrust cert uses a voice verify system so its a tad more "secure")
  
  -Tim
• Doesn't Work :-/
  2004-01-25 01:12:11  dignan [Reply | View]
  
  
  I had the same issue, because I chose to get my cert from cacert.org rather than verisign. This page has the fix:
  http://www.dublan.net/Notes/Archives/2003/December/08_Monday/Adding%20extra%20CAs%20on%20OS%20X.html
  
  Hope that helps.
• Doesn't Work :-/
  2004-02-02 00:46:31  timb [Reply | View]
  
  
  Ahh, heck yes! Thank you! This works wonders!
  Here is a link to GeoTrust's CERT:
  
  
  http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_True_Credentials_CA_2.cer
  

• At multiple accounts I...?
  2004-01-21 17:04:12  drogue [Reply | View]
  
  
  Followed your article all the way through, but I have multiple email accounts. Panther 10.3.2. Don't see anything about associating the certificate with a particular email account. Wha am I looking for?
• At multiple accounts I...?
  2004-01-21 17:11:23  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  This is in fact very easy and you do not need to associate certificates with accounts manually.
  
  Indeed, you just need to have a look at the e-mail address you give to Thawte ( or any other certification authority of your choice ) when you request the certificate.
  
  This is the address that will be associated with the certificate.
  
  Then, once you have your first certificate, provide an additional address to your CA and request another one... All the information that you need to do that may be found in the article or on Thawte's FAQ pages — see the links above.
  
  Mail will automatically locate the various certificates in your Keychain and use the appropriate one with each e-mail address.
  
  Let me know if this helps !
  
  F.J.

• Mail can sometimes use the keys, and sometimes not
  2004-01-21 12:45:42  eepalmer [Reply | View]
  
  
  I was able to import a few different private/public keys to my ibook (running 10.3.2) and it works like a champ. However, when I imported them to my desktop (also running 10.3.2), it would not recognise them. Mail would not give me the icons for sign or encrypt. Bummer.
  
  What is interesting is how I can get the desktop to recognize the keys. I can mail myself a signed email from my ibook. I receive it on my desk top. Mail tells me, "Unable to verify message signature. If I click details, I get an error, "Unable to verify message signature." Strange.
  
  What comes next is stranger. I click "Show Details," and it tells me about the certificate. Now, using the desktop I can write emails that allow me to sign and encrypt. It works great. However, when I quit the program, it forgets.
• Mail can sometimes use the keys, and sometimes not
  2004-01-21 13:12:53  FJ de Kermadec | [Reply | View]
  
  
  Hi !
  
  The fact that Mail doesn't recognize that certificates are ready to be used and is unable to store them in an efficient way may indicate that your Keychain is damaged...
  
  The first thing to do would be to perform a few maintenance and optimization tasks in order to make sure that no minor disk error or permissions issue could prevent Mac OS X from running normally. In order to do so, follow these steps :
  
  

  1. Boot from the Panther Install CD 1
  
  
  2. Use the Installer <u>menu</u> in order to open the "Disk Utility"
  
  
  3. Click on the "First Aid" tab and repair the hard drive
  
  
  4. Restart your computer
  
  
  5. Use the "Disk Utility" located in your "Utilities" folder to repair the permissions on the Mac OS X partition

  
  
  Then, try to create a new login Keychain, import your passwords and certificates in it and try again.
  
  Let me know if this helps !
  
  F.J.