How do I convert an Army certificate into a format OS X understands?
May 27, 2005 9:27 AM Subscribe
Army Knowledge Online is a webmail/pop email service that any current or former US Army member can use in order to have a .mil address. I've been using it for a while, but for going on three years now I can't get Mail.app (and the keychain) to accept its security certificate. The normal way of importing a self-signed certificate doesn't work under Jaguar, Panther, or Tiger- I can import the cert, but nothing happens. I've tried setting up a new "root" certificate. Nothing works. Apple discussion boards have been useless. Can someone look at this certificate (try going here and it will send you the cert) and maybe tell me what's going on? I think it's in some odd format that prevents it from being imported.
Response by poster: No, I'm afraid those instructions don't work. The X509 anchors and certificates are already installed in Tiger, anyway, and the DOD Class 3 root certificate is also already installed. None of that has any effect on the AKO certificate.
posted by yesno at 10:05 AM on May 27, 2005
posted by yesno at 10:05 AM on May 27, 2005
Response by poster: I can import the certificates but the problem is that "they were signed by an unknown authority."
posted by yesno at 10:11 AM on May 27, 2005
posted by yesno at 10:11 AM on May 27, 2005
yesno - I work for a large commercial CA, and the 'Unknown Authority' message simply means the chain back to the root certificate (or the root cert itself) is not there.
I'll try and offer more help shortly, but I'm in the UK, and most of the pages don't load properly here...
posted by nafrance at 11:49 AM on May 27, 2005
I'll try and offer more help shortly, but I'm in the UK, and most of the pages don't load properly here...
posted by nafrance at 11:49 AM on May 27, 2005
Response by poster: It seems what I need is the "DOD Class 3 CA-4" certificate, which is what it is signed by. All of the online help documents assume that the root cert "DOD Class 3" does the trick, but it does not.
posted by yesno at 2:24 PM on May 27, 2005
posted by yesno at 2:24 PM on May 27, 2005
Best answer: When I connect it gives me a certificate issued by "DOD CLASS 3 CA-7", not CA-4. My bet is that they have several servers behind that one domain name, with distinct certs, and signed by different intermediate authorities. If that's the case, then the problem is that the server is not sending the whole cert chain --- it's supposed to send its own cert and any certs inbetween that and the root (so that you can follow the chain).
OTOH this collection of certificates found by google contains a self-signed (root CA) cert claiming to be CA-7, but an intermediate cert claiming to be CA-3 and signed by the Class 3 Root CA. Weird. I'd expect them all to trace back to the Class 3 Root.
posted by hattifattener at 3:17 PM on May 27, 2005
OTOH this collection of certificates found by google contains a self-signed (root CA) cert claiming to be CA-7, but an intermediate cert claiming to be CA-3 and signed by the Class 3 Root CA. Weird. I'd expect them all to trace back to the Class 3 Root.
posted by hattifattener at 3:17 PM on May 27, 2005
I had the certificate problem, but I just set the Firefox to "always accept" and no more messages.
I'm using the AKO webmail though; are you saying you should be able to POP the account to your desktop mail?
posted by atchafalaya at 3:29 PM on May 27, 2005
I'm using the AKO webmail though; are you saying you should be able to POP the account to your desktop mail?
posted by atchafalaya at 3:29 PM on May 27, 2005
Best answer: One error I see is that the cert proffered is for the domain 'webmail.us.army.mil' even when you're visiting the domain 'pop.us.army.mil'. Safari correctly interprets that as an invalid cert. However, since both names resolve to the same IP address and there are no MX records involved, there's no reason you can't just use 'webmail.us.army.mil' wherever you're currently using 'pop.us.army.mil', including in Mail.app.
Also, you need to install both the Class 3 root CA and the DOD CLASS 3 CA-7 certs. Since you already have the first, you can install the second by copy-pasting the 'DOD CLASS 3 CA-7' section (the two id lines containing that phrase and the certificate block immediately following) into a text file, saving it with a .cer extension and then importing in Keychain Access.
By doing those 2 things, I was able to visit the AKO site without generating a certificate error.
posted by boaz at 7:43 PM on May 27, 2005
Also, you need to install both the Class 3 root CA and the DOD CLASS 3 CA-7 certs. Since you already have the first, you can install the second by copy-pasting the 'DOD CLASS 3 CA-7' section (the two id lines containing that phrase and the certificate block immediately following) into a text file, saving it with a .cer extension and then importing in Keychain Access.
By doing those 2 things, I was able to visit the AKO site without generating a certificate error.
posted by boaz at 7:43 PM on May 27, 2005
I forgot to mention that the CA-7 cert was copy-pasted from the list of certs in hattifattener's link.
posted by boaz at 7:46 PM on May 27, 2005
posted by boaz at 7:46 PM on May 27, 2005
Response by poster: I got it to work! Thanks everyone. (By the way, atchfalaya, it's Mail.app that was the big concern for me, no the browser.)
posted by yesno at 5:00 AM on May 28, 2005
posted by yesno at 5:00 AM on May 28, 2005
This thread is closed to new comments.
posted by piro at 9:50 AM on May 27, 2005