Again, in the vein of posting information that took me forever to find elsewhere:
I decided this morning to switch from simply downloading my email through POP3 to using SSL, which is more secure. I use Apple’s “Mail” program to check my email, under OS X 10.3. When you switch to SSL in Mail’s preferences, every time you start your mail program, it will warn you that it doesn’t trust the certificate on the server. You can click continue to keep using it. But this gets old very quickly… clicking ‘continue’ every time you start up Mail. So you find out what the server’s certificate is, (from your provider/ISP), and add it to your Mac’s keychain.
Everything that I’ve said so far is easy to find online. And I did all that. I went to the Keychain application, chose “import”, and imported the text file I had saved the certificate to. It imported just fine, and showed up in the keychain just fine. But every time I started mail, it was still telling me it didn’t trust the server. It was ignoring the copy of the certificate that’s in my keychain.
And that drove me fucking nuts. ‘Cause every website I found, including Apple’s own support site, says simply to “Import the certificate into the keychain”.
After much surfing, cursing, and kicking of the cat to relieve stress, I came across this page on Employees.org. Seems there is a very particular set of steps you need to take in order to PROPERLY install the certificate:
- Download/copy your certificate and save it in a file. The file name needs to end in an extension that the computer will identify as a certificate. I used “.pem”
- Double-click on the file. This will launch the “Keychain Access” and open the “Add Certificates” dialog box.
- (For security reasons, you should click on “View Certificate” and compare the fingerprint and then click OK on the certificate viewer.)
- Change the “Keychain:” on the “Add Cerfiticates” drop-down menu to “X509 Anchors” and click OK.
- The system will prompt you for an Administrator username and password as this will modify a system file.
- Restart any applications that use the system certificate store, like Apple Mail.
Now your Mail should stop complaining about certificates.
Seems the missing step was the “X509” bit. And the only way to make that setting was to follow this particular method of adding the certificate. It doesn’t show up if you simply use the “import…” option.
Anyway… my mom is out there right now wondering what the fuck this all means. Really… it’s a plot to make you feel old, Mom. Have you figured out how they get the movies on those little spinning disks yet? 🙂
If I’m feeling ambitious or bored tomorrow, maybe I’ll describe how to release the built in integration Mail seems to have with PGP.