Certificates, Keychain and Directory Services
Starting with 10.4.3 iChat now generates X.509 certificates for all .Mac chat addresses to allow encrypted chats.
Those certificates can also be used to sign and encrypt all e-mails for your .Mac address in Mail.app. By default both sides need to send each other a signed e-mail to they get the other's certificate onto their keychains before they can exchange encrypted e-mails.
But Keychain.app allows you to query .Mac for any subscriber's certificate so you get a copy of the public key without the need to exchange messages first. Just turn on
[x] Search .Mac for Certificates
in Keychain Access' Preferences. This works just fine, you can even look at all your friends with .Mac addresses in your Address Book to see which ones already have a working certificate.
Now the second option in Keychain Access
[x] Search Directory Services for Certificates
makes me curious: How do I generate and store my own certificates for all my users in Directory Services? I haven't found any documentation on that so far and would really like to use this asap.
When I can generate all X.509 certificates for my domain and store them in Directory Services this would make life a lot easier.
So far we used some free CA authority but users tend to forget to renew their certs when the expiration warnings come in and sooner or later half of them can no longer sign or encrypt their e-mail. When I can do the renewal myself and distribute them this way this'll be a big improvement.
Norbert
Those certificates can also be used to sign and encrypt all e-mails for your .Mac address in Mail.app. By default both sides need to send each other a signed e-mail to they get the other's certificate onto their keychains before they can exchange encrypted e-mails.
But Keychain.app allows you to query .Mac for any subscriber's certificate so you get a copy of the public key without the need to exchange messages first. Just turn on
[x] Search .Mac for Certificates
in Keychain Access' Preferences. This works just fine, you can even look at all your friends with .Mac addresses in your Address Book to see which ones already have a working certificate.
Now the second option in Keychain Access
[x] Search Directory Services for Certificates
makes me curious: How do I generate and store my own certificates for all my users in Directory Services? I haven't found any documentation on that so far and would really like to use this asap.
When I can generate all X.509 certificates for my domain and store them in Directory Services this would make life a lot easier.
So far we used some free CA authority but users tend to forget to renew their certs when the expiration warnings come in and sooner or later half of them can no longer sign or encrypt their e-mail. When I can do the renewal myself and distribute them this way this'll be a big improvement.
Norbert
PowerBook G4 17, Mac OS X (10.4.3)
