OS X and U of U Specific Info

By: Mike Yocom - Revised: 2006-05-23 devin


Specific information about SSL, OS X, and the University of Utah.

Section Links

  1. Mac OS X
  2. Campus Resources

Mac OS X

Since part of the SSL handshake involves verifying the CA that issued the server or client's certificate, it is possible to encounter a situation where a server really is trustworthy, but you computer thinks it's not because the CA doesn't happen to be in the list of trusted CAs. A good example of this is when a university sets up a root CA — a CA that isn't subordinate to any, other CA. When a client connects to a server that has a certificate issued by the university's CA, or by a departmental CA that is subordinate to the university's CA, the client will be unable to authenticate the server.

Whenever an issuing CA cannot be authenticated, you'll get an error message like the following:

The error message may be slightly different, depending on the application trying to authenticate a server, but the gist is the same. The server could not be authenticated, so you may or may not be connecting to the real server — nid.utah.edu in this case. There will also be no encryption of the data being exchanged, so anybody else listening has full access to your data. The application should give the user the option to continue or not, or automatically terminate the session.

In order to allow a full-fledged SSL session to be established with a server whose CA is not in the trusted list, the certificate of the CA should be downloaded and added to the X509Anchors keychain. The downside to this is that the CA certificate needs to be available, either publicly or by request.

If the certificate is publicly available on a web page, download it. For an example, we'll walk through the process of downloading the University of Utah Internal Server CA certificate to get rid of that error when visiting nid.utah.edu. The following is a screen shot of a section of the ITAC web page, showing the link to download the certificate. In most browsers either clicking on the "install public cert" or control-clicking on the same link and selecting something along the lines of "Download" or "Save As…" from the contextual menu will work.

Your web browser will then download the certificate. Since they are generally small — The U of U's public certificate is only a couple of kilobytes, as you can see in the next picture — they should download quickly.

Once the download finishes, either go to your default download location, where you told the browser to save the cert to if you used a "Save As…" command, or click on the show widget — the magnifying glass to the right of the downloaded file — in the download window to reveal the certificate.

If the file extensions isn't ".cer", change it to ".cer". Then double-click on it. Keychain Access will launch.

Keychain Access will present you with a dialog box to verify if you really want to add the certificate. Select "X509 Anchors" from the "Keychain:" pull-down menu and click "OK". (You must have administrator access to do this.)

Keychain Access will ask you to provide an administrator password. Provide this user name/password and click "OK". The certificate will now be added to the client's list of trusted CAs.

To view the list, go to Keychain Access, select Add Keychain… from the File menu, navigate to /System/Library/Keychains/ and select X509Anchors. The X509Anchors will now show up in your list of Keychains. (Click Show Keychains if the list is not visible.) When you select one of the certificates you can view the information contained within it. (Validity period, hexadecimal representations of the SHA1 and MD5 fingerprints and the public key and signature, contact information for the CA, and so forth.)

Campus Resources

The University of Utah maintains its own certificate authority, managed by ISO (Institutional Security Office). Certificates generated by the University Internal CA are available for servers and specific applications — including Radius, Time, VPN, and SSL web servers. No certificates for individuals are available at this time, so no client authentication using a U of U certificate, but this service is planned.

To get a certificate from the University Internal CA, send an email to ca@utah.edu with appropriate contact information, what application will use the certificate, and either a fully qualified domain name (FQDN) or a certificate request file.

A public certificate is also available, to manually add the University Internal CA to clients' lists of trusted CAs. It is available from the ITAC website. To install this or any other certificate, download it, make sure the extension is .cer — change it to .cer if it's not — and double-click on it. Keychain Access launches, and asks if you want to add the certificate, select the appropriate Keychain, click OK, and enter in your login and password.