[kman42]

Can someone provide a decent explanation of how the Tiger Keychain handles certificates? Although they provide a nice assistant, much of the jargon is confusing. I would like to have certificates for each of my email accounts so that I can send signed and encrypted emails. How do I go about this?

Also, I noticed that the assistant can generate a certificate authority. Does this mean that anyone can become an authority? What are the practical implications of this?

kman

[Stradlater]

Yeah, I'd like some help here, as well. Though I've added the Mail security certificates to my keychain, I can't seem to find the option to add these signatures to outgoing mails. In 10.3, once I added the certificates, outgoing mail was secured by default.

[kman42]

Did you just create your own using Keychain or did you use Thawte (or some other service) and import them? Can you use thawte through the keychain assistant?

kman

[kman42]

The certificate assistant Learn More button says, "you can obtain a personal certificate from .Mac". Anyone know how to do that?

[Stradlater]

Originally Posted by kman42

Did you just create your own using Keychain or did you use Thawte (or some other service) and import them? Can you use thawte through the keychain assistant?

kman

I used Thawte; I downloaded them again and they imported into Keychain Assistant automatically. I, however, cannot find the option to use them in Mail. I've sent myself test messages and the certificates are not embedded.

[kman42]

Did you use Firefox or does Safari now work? My thawte certs expired about a week ago and I was holding off renewing them since I had heard Tiger would contain cert generation support.

[Stradlater]

Originally Posted by kman42

Did you use Firefox or does Safari now work? My thawte certs expired about a week ago and I was holding off renewing them since I had heard Tiger would contain cert generation support.

Safari. I used Safari in 10.3 and it worked also.

Here are some examples:
http://www.entourage.mvps.org/smime/req_safari.html

[kman42]

I just created a new cert through thawte and downloaded it using safari. It opened in keychain and then I was able to send an email to myself using the cert to sign it. I didn't have to do anything to add it to the account; mail just picked it up automatically.

kman

[Stradlater]

Originally Posted by kman42

I just created a new cert through thawte and downloaded it using safari. It opened in keychain and then I was able to send an email to myself using the cert to sign it. I didn't have to do anything to add it to the account; mail just picked it up automatically.

kman

Hmmm...I wonder why it didn't work for me. Can you show me a screenshot of the signed part of the email and the compose window?

[kman42]

I can't seem to get the encryption to work though. I'm sending the email to myself at another account and it says I don't have the public key even though I just got the cert for that acct and can send signed emails from that account. And the cert is present in Keychain.

[legacyb4]

My existing certs were moved over when I copied over my keychain and I was also able to renew one of my mail certs through Thawte no problem.

Didn't catch the bit about .mac at first but I imagine that Apple will soon be adding that (hopefully for free) infrastructure into the .mac system so that all subscribers can easily sign mail.

The Create a CA part is probably just a GUI for the tools that were already included in 10.3 (I did a writeup for macosxhints a while back on setting up a private CA for enabling SSL for your webserver).

Good to see Apple getting around to these bits.