Posts:
10
From:
Toronto
Registered:
Nov 9, 2007
|
|
|
|
Re: Safari SSL Certificates selection dialog box
Posted:
Nov 12, 2007 6:41 PM
in response to: katokop1
|
|
|
I haven't had success yet. My browser insists on using the '.mac sharing certificate' when I try to connect to my site, no matter what I put in the identity preference. I though it might be because the keychain also has a default identity preference which points to the .mac certificate, but deleting the default preference didn't do anything for me. I'll keep trying.
Mac Pro
Mac OS X (10.5)
|
|
Posts:
4
Registered:
Nov 5, 2007
|
|
|
|
Re: Safari SSL Certificates selection dialog box
Posted:
Nov 13, 2007 2:30 PM
in response to: OLAUser
|
|
|
Thanks.
I don't think it's available in Tiger. I am checking now to see if it's
10.5 only....
Mac OS X (10.4.10)
|
|
Posts:
4
Registered:
Nov 5, 2007
|
|
|
|
Re: Safari SSL Certificates selection dialog box
Posted:
Nov 13, 2007 7:08 PM
in response to: OLAUser
|
|
|
So I've checked, and this ctl-click feature has only just become available
in Leopard (OS X 10.5). It's not in the earlier versions.
Even so, I still cannot get Safari to work properly w/ multiple certs.
I tried flushing all of the certs on my system, starting from scratch,
and assigning URLs to the 'secondary' master and intermediate certs
as described above, and Safari still cannot connect to the URLs 'securely'.
That's why I'd really like to have a detailed report from the people who have succeeded:
-
- what, exactly, were the permission settings on the primary certs? (System,
always trust, etc.)
-
- what, exactly, were the permission settings on the secondary certs?
- what certs, exactly, were selected in order to gain access to the previously
unaccessible URL? Was it an https: site? or just http: ? How many certs did
you have to change the 'identity' of? Just one secondary, or the main secondary
and its intermediates? And so forth.
It's frustrating to come so close to a solution and yet still have it out of reach.
thanks
|
|
Posts:
33
Registered:
Aug 17, 2004
|
|
|
|
Re: Safari SSL Certificates selection dialog box
Posted:
Nov 19, 2007 9:15 AM
in response to: rcberwick
|
|
|
Ok, I have now had success with this. I upgraded to 10.5.1 over the weekend, not sure if that helped or not. I'm no expert on this, but here's the steps I went through.
I'm trying to access a corporate email system (MS Exchange - Outlook Web Access), for which I have a Web Access type certificate. The certificate also needs an intermediate certificate authority.
The URL to access this is "https://mail.mycompany.com/Exchange"
I loaded the intermediate authority first, into the system keychain, and then loaded my personal certificate into my login keychain.
I then tested these were loaded and valid. To do this right click on the personal certificate and chose the "Evaluate" option. Click the SSL radio button, check the "Ask Host for Certificates" checkbox, and enter the host name in the "Host Name" text box, so for me this was "mail.mycompany.com" and click the continue button. if all is well you should see some info and in particular look for the "Certificate Status" which should be good and "Evaluation Status" which should be success.
Now that I knew my certificate was loaded and working, I then added the "Identity Preference". I first added one for "https://mail.mycompany.com/Exchange". Note I added this exactly as I've typed it, by trial and error I found if I missed out the "https://" it didn't work or if I put an extra "/" on the end it didn't work. I also found that during the login, the URL changes to begin with "https://mail.mycompany.com/Exchweb" and I also had to add an identity preference for this, again note the "https://" on the front and no "/" at the end. Without adding this second identity preferences, half way though the login process, I would again be prompted to allow use of my ".mac sharing certificate" to validate against this site.
So not sure exactly what is going on here. but clearly the logic by which safari selects the appropriate certificate is not working correctly, but you can force it to go to the correct certificates by being very specific with your identity preferences. If only Safari would prompt, when it's not sure, and allow you to automatically create/save these identity preferences as you go, life would be MUCH easier.
Dave
G4 1.25 DP 2GB Ram
Mac OS X (10.4.3)
G4 800DP, G4 350, Centris 660AV, Macintosh Plus
|
|
Posts:
10
From:
Toronto
Registered:
Nov 9, 2007
|
|
|
|
Re: Safari SSL Certificates selection dialog box
Posted:
Nov 19, 2007 7:02 PM
in response to: David B Brown 2
|
|
|
Thanks for this. Your reply put me in the right direction. I ended up having to add three identity certificates for my site.
I'm glad I can further reduce my reliance on Firefox, but this whole certificate issue with Safari belies the Apple mantra "It Just Works". The handling of certificates is one of two major deficiencies I find with Safari in comparison with the other modern browsers. Certificates with Firefox and IE "just work", without much additional configuration (IE will at least ask you what cert you want to use if it can't figure it out. It wouldn't be so bad if the Identity Preference was documented anywhere in the help files or Apple's site.
BTW the other thing I hate about Safari is the inability to change the default "Safe" files without using AppleScripts, Folder Actions or .plist files. Most other browsers let you do this from the GUI.
Mac Pro
Mac OS X (10.5)
|
|
Posts:
8
Registered:
May 4, 2005
|
|
|
|
Re: Safari SSL Certificates selection dialog box
Posted:
Nov 26, 2007 11:13 PM
in response to: OLAUser
|
|
|
Smart card support in Safari was implemented to automatically select a certificate. This was a design choice to increase usability. Unfortunately, DOD PKI and others use multiple certificates on the card, making Safari unable to work with sites that request other than the first certificate on the card. More information at this thread:
http://lists.apple.com/archives/fed-talk/2007/Jan/msg00032.html
MacBook 2.2 GHz
Mac OS X (10.5.1)
|
|
Posts:
10
From:
Toronto
Registered:
Nov 9, 2007
|
|
|
|
Re: Safari SSL Certificates selection dialog box
Posted:
Nov 30, 2007 4:52 PM
in response to: Brian McCaffrey
|
|
|
What about situations where you don't use a smart card, just certificates.
Further to my last post, I though I had solved the problem with four identity preferences. Unfortunately, clicking on any link in the page would result in the "can't establish a secure connection" error. After I added my 6th or 7th identity preference for the same site, I gave up and went back to Firefox.
Does anybody know any way to wildcard anything past the domain name? I tried the usual * and ?, but these don't work.
Mac Pro
Mac OS X (10.5)
|
|
Posts:
2
Registered:
Jan 12, 2008
|
|
|
|
Re: Safari SSL Certificates selection dialog box
Posted:
Jan 12, 2008 3:33 PM
in response to: OLAUser
|
|
|
Hi, OLAUser,
could you please teach me how to change the default "Safe" files using AppleScripts, Folder Actions or .plist files? I really would like to have some files to open automatically after download, specially .pps files, and safari doesn't recognize such files as "safe". I tried to find out reading the help files but got lost.
I really appreciate your help. Thanks.
Mac OS X (10.4.11)
|
|
Posts:
1
From:
West Hollywood, CA
Registered:
Mar 8, 2008
|
|
|
|
Re: Safari SSL Certificates selection dialog box
Posted:
Mar 8, 2008 10:23 AM
in response to: adesai
|
|
|
I've found a decent workaround to this issue. It's not a real solution, but it works.
I work for a company which has a certificate for each region - US, EU, and CN.
In Keychain Access, I had already imported the certificates I needed. What I did was I right-clicked on the Keychains box in the top left hand corner and created three new keychains: us, eu and cn. Then I dragged each certificate and private key from login into its own keychain.
Now, when I need to access any particular site, I drag the keychain with the certificate I need to the top of the Keychains list. Since Safari will take the first certificate it sees, it will take the first certificate in the first keychain in the list. Since I've only got one in each, as long as the correct keychain is at the top of the list, everything authenticates correctly.
The only thing that isn't possible with this system is to use more than one site at the same time.
It's a bit ugly, but it works. Apple should really fix this bug if they hope to make a strong impression in the enterprise market.
I've only tested this on Leopard, but I think it might work for Tiger too. I'll test it out on my Tiger machine tomorrow and let y'all know.
Mac OS X (10.5.2)
|
|
|
