How do I convert an Army certificate into a format OS X understands?
May 27, 2005 9:27 AM   Subscribe

Army Knowledge Online is a webmail/pop email service that any current or former US Army member can use in order to have a .mil address. I've been using it for a while, but for going on three years now I can't get Mail.app (and the keychain) to accept its security certificate. The normal way of importing a self-signed certificate doesn't work under Jaguar, Panther, or Tiger- I can import the cert, but nothing happens. I've tried setting up a new "root" certificate. Nothing works. Apple discussion boards have been useless. Can someone look at this certificate (try going here and it will send you the cert) and maybe tell me what's going on? I think it's in some odd format that prevents it from being imported.
posted by yesno to Computers & Internet (10 answers total)
 
The FAQ about installing the cert. on OSX doesn't help?
posted by piro at 9:50 AM on May 27, 2005


Response by poster: No, I'm afraid those instructions don't work. The X509 anchors and certificates are already installed in Tiger, anyway, and the DOD Class 3 root certificate is also already installed. None of that has any effect on the AKO certificate.
posted by yesno at 10:05 AM on May 27, 2005


Response by poster: I can import the certificates but the problem is that "they were signed by an unknown authority."
posted by yesno at 10:11 AM on May 27, 2005


yesno - I work for a large commercial CA, and the 'Unknown Authority' message simply means the chain back to the root certificate (or the root cert itself) is not there.

I'll try and offer more help shortly, but I'm in the UK, and most of the pages don't load properly here...
posted by nafrance at 11:49 AM on May 27, 2005


Response by poster: It seems what I need is the "DOD Class 3 CA-4" certificate, which is what it is signed by. All of the online help documents assume that the root cert "DOD Class 3" does the trick, but it does not.
posted by yesno at 2:24 PM on May 27, 2005


Best answer: When I connect it gives me a certificate issued by "DOD CLASS 3 CA-7", not CA-4. My bet is that they have several servers behind that one domain name, with distinct certs, and signed by different intermediate authorities. If that's the case, then the problem is that the server is not sending the whole cert chain --- it's supposed to send its own cert and any certs inbetween that and the root (so that you can follow the chain).

OTOH this collection of certificates found by google contains a self-signed (root CA) cert claiming to be CA-7, but an intermediate cert claiming to be CA-3 and signed by the Class 3 Root CA. Weird. I'd expect them all to trace back to the Class 3 Root.
posted by hattifattener at 3:17 PM on May 27, 2005


I had the certificate problem, but I just set the Firefox to "always accept" and no more messages.
I'm using the AKO webmail though; are you saying you should be able to POP the account to your desktop mail?
posted by atchafalaya at 3:29 PM on May 27, 2005


Best answer: One error I see is that the cert proffered is for the domain 'webmail.us.army.mil' even when you're visiting the domain 'pop.us.army.mil'. Safari correctly interprets that as an invalid cert. However, since both names resolve to the same IP address and there are no MX records involved, there's no reason you can't just use 'webmail.us.army.mil' wherever you're currently using 'pop.us.army.mil', including in Mail.app.

Also, you need to install both the Class 3 root CA and the DOD CLASS 3 CA-7 certs. Since you already have the first, you can install the second by copy-pasting the 'DOD CLASS 3 CA-7' section (the two id lines containing that phrase and the certificate block immediately following) into a text file, saving it with a .cer extension and then importing in Keychain Access.

By doing those 2 things, I was able to visit the AKO site without generating a certificate error.
posted by boaz at 7:43 PM on May 27, 2005


I forgot to mention that the CA-7 cert was copy-pasted from the list of certs in hattifattener's link.
posted by boaz at 7:46 PM on May 27, 2005


Response by poster: I got it to work! Thanks everyone. (By the way, atchfalaya, it's Mail.app that was the big concern for me, no the browser.)
posted by yesno at 5:00 AM on May 28, 2005


« Older soundtrack   |   Are there websites that will purchase airline... Newer »
This thread is closed to new comments.