Safari SSL Certificates selection dialog box

Yes, I have had success. I was totally unaware of this "New Identity Preference..." command until I saw your post, but using it very explicitly seems to work perfectly.

My setup:

* Imported main certificate --> works everywhere it should, secondary sites fail
* Imported secondary certificate --> main still works, secondary still fails (this is the same as past versions)

In keychain:

* ctrl-click on a certificate, set "New Identity Preference..."
* Type the full DNS name and URL prefix of a secondary site ( https://my.site, no need for a more explicit trailing path, though that may also work)
* Select secondary certificate (it's not the default selected, even if you ctrl-clicked on it to bring up the dialog) and confirm

--> secondary site now works with secondary certificate, everything else remains with primary certificate.

Less user friendly than I would like (it requires opening Keychain access and manually pasting URLs, and the errors when using the wrong certificates in Safari are still as cryptic as ever to the average user), but fully functional so far.

Yep. got the same problem.

This seems to be a bug in the certificate selection dialog in Safari. In my case it always uses the first certificate in the list.

As a workaround I exported the certificates that I didn't want to a file by selecting them and choosing "Export" from the file menu. Then I deleted the certificates from Keychain, so only the one I wanted remained. I then imported the other ones by dragging them into Safari.
Now the one I'd like to use is the topmost one in Keychain and will also be used in Safari.

Macbook Pro 15" Mac OS X (10.4.8)

Ok, I have now had success with this. I upgraded to 10.5.1 over the weekend, not sure if that helped or not. I'm no expert on this, but here's the steps I went through.

I'm trying to access a corporate email system (MS Exchange - Outlook Web Access), for which I have a Web Access type certificate. The certificate also needs an intermediate certificate authority.

The URL to access this is "https://mail.mycompany.com/Exchange"

I loaded the intermediate authority first, into the system keychain, and then loaded my personal certificate into my login keychain.

I then tested these were loaded and valid. To do this right click on the personal certificate and chose the "Evaluate" option. Click the SSL radio button, check the "Ask Host for Certificates" checkbox, and enter the host name in the "Host Name" text box, so for me this was "mail.mycompany.com" and click the continue button. if all is well you should see some info and in particular look for the "Certificate Status" which should be good and "Evaluation Status" which should be success.

Now that I knew my certificate was loaded and working, I then added the "Identity Preference". I first added one for "https://mail.mycompany.com/Exchange". Note I added this exactly as I've typed it, by trial and error I found if I missed out the "https://" it didn't work or if I put an extra "/" on the end it didn't work. I also found that during the login, the URL changes to begin with "https://mail.mycompany.com/Exchweb" and I also had to add an identity preference for this, again note the "https://" on the front and no "/" at the end. Without adding this second identity preferences, half way though the login process, I would again be prompted to allow use of my ".mac sharing certificate" to validate against this site.

So not sure exactly what is going on here. but clearly the logic by which safari selects the appropriate certificate is not working correctly, but you can force it to go to the correct certificates by being very specific with your identity preferences. If only Safari would prompt, when it's not sure, and allow you to automatically create/save these identity preferences as you go, life would be MUCH easier.

Dave

I've found a decent workaround to this issue. It's not a real solution, but it works.

I work for a company which has a certificate for each region - US, EU, and CN.

In Keychain Access, I had already imported the certificates I needed. What I did was I right-clicked on the Keychains box in the top left hand corner and created three new keychains: us, eu and cn. Then I dragged each certificate and private key from login into its own keychain.

Now, when I need to access any particular site, I drag the keychain with the certificate I need to the top of the Keychains list. Since Safari will take the first certificate it sees, it will take the first certificate in the first keychain in the list. Since I've only got one in each, as long as the correct keychain is at the top of the list, everything authenticates correctly.

The only thing that isn't possible with this system is to use more than one site at the same time.

It's a bit ugly, but it works. Apple should really fix this bug if they hope to make a strong impression in the enterprise market.

I've only tested this on Leopard, but I think it might work for Tiger too. I'll test it out on my Tiger machine tomorrow and let y'all know.

Smart card support in Safari was implemented to automatically select a certificate. This was a design choice to increase usability. Unfortunately, DOD PKI and others use multiple certificates on the card, making Safari unable to work with sites that request other than the first certificate on the card. More information at this thread:

http://lists.apple.com/archives/fed-talk/2007/Jan/msg00032.html

-- Brian

I've had the same issue where Safari tells me it can't establish a secure connection. Upon further analysis with a Sniffer I find it's sending the wrong certificate. My workaround has been to use Firefox, which maintains it's own certificate store, at least for this one site.

I've notices in Keychain that there is the ability to create 'identity preferences' and 'certificate preferences' (right click on a cert and you'll see the option). This would imply that you could force safari to use a particular certificate for the site you're connecting to. Unfortunately, I've tried setting these up and it still doesn't work.

I'd be interested to know if anyone else has had any success.

I have the same issue too. That workaround won't work in our case though because we need different certificates for different sites.

I hate Firefox because it is very un-integrated with the rest of Mac OS using it's own cert store, spelling, etc, however, it does handle this situation. This issue keeps our organization from being able to use Safari internally.

I really hope this gets fixed, but I'm not holding my breath because it's been a known bug for a few years now.

Well: guess what, it's not fixed in Leopard either.
And: by talking to some 'higher up' system programmer types
at Apple - while they might have this logged as a bug to track,
they don't intend on fixing it any time soon - or ever.
I've personally tracked it down to an implementation error
in the Keychain search routine - a minor code fix relative
to Safari - but since this means opening up Keychain, and
thus impacts all the other apps, they won't fix it.
Unless somebody even higher up steps in, Safari will remain
broken, for the forseeable future, with respect to certificates.
Anybody at Apple listening? Do you know that Safari doesn't meet
the W3C specs?

I have a similar issue, trying to access a corporate website. For me it doesn't allow me to select which certificate to use ( I currently have 4 different possibilities, although only one for the correct .com). it always assumes my .mac sharing certificate.

Was hopeful it would be fixed in Leopard, but alas still the same issue.

Workaround for web access is is to use firefox, which of course work flawlessly.

Also suspect this is the same reason that I cannot access our corporate exchange server from Apple Mail. So not sure it's just Safari that's broken, more likely some lower level SSL/Key chain selection/searching logic that's broken.

Well, I am disappointed but not surprised this continues to be a problem in the 3.0.2 release candidate.

This is the single issue which makes Safari unusable for me. Very disappointing that this issue is not a priority for Apple.

I'm having a similar issue. When the dialog comes up to choose a certificate for the website, it shows multiple instances of the same certificate. I select a seemingly random order, and each one gets denied. Then, suddenly one works, where I had chosen that cert before it didn't work.

Do you think this is associated with the same bug? The cert only exists once in Keychain and I have reset the Keychain multiple times to see if it was an issue there. Still, the same behavior.

Thanks for any input.

Hello,

I'm having a similar problem too. I have a couple of keys/certificates in my keychain. However, I'm not able to get Safari to ask me for which one to choose.
How do you get a selection dialog? Is there a box to tick somewhere? (Both certificates come from the same CA in my case).

Thanks.

I really have little understanding about this thread because all I get is a notice from the website saying that my browser does not have 128 bit SSL security so I cannot use this or that aspect. It only happens occasionally. However, I cannot figure this out as teh security selection in preferences for Safari don't give a lot of options. I have the "Ask before sending a secure form" checked.

I'm not sure whether I am having the same problem or if it is a different one. I don't know if I've ever seen a window with certificates in it. Nor can I seem to find one.

Hi,
well, this sounds promising! How, though, do you get that dialog to pop up?
Do the SSL certs in keychain have to be set to 'ask permission?' anything else?
Because I can't get any dialog of this sort to pop up in Safari. And I can't
get the ctl-click on crts to pop up any sort of dialog box in Keychain either.
So I must be doing something stupid.
It would be a *big help* if you could please tell us the exact sequence
of steps required and the exact cert permissions settings to get this
behavior, because it certainly sounds like the answer to the problems that
have been plaguing folks like me wrt using safari and multiple ssl certs...
(unless this works only under leopard... i am running safari 3.0.3, but on 10.4.10)

thank you!

I ctrl-clicked on the certificate I wanted to use and the "identity preference" is one of the options, 'certificate preference' is shown if it's a root cert. The certs are set to confirm before allowing access, but I don't think it matters. I'm using Leopard. I never noticed if this option was available in Tiger.