|Custom Certificates with OS X
||[Nov. 10th, 2003|05:41 pm]
|||||Evanescence - 5 Haunted||]|
It seems that persuading OS X to accept new CA certificates isn't quite as straight forward as on Windows. I discovered this today, whilst trying to get the Mac's in the office to recognize our local CA.
Firstly, there's the fact that all the Microsoft programs have their own CA store, and don't bother with the system one. Installing CA certificates in this is much like with Windows - browse to a copy of your certificate in IE, serve it up a mime type of application/x-x509-ca-cert and up pops the install window. One pesky bit is that it prompts you for a password, which it asks for again every time you visit a site with a custom CA certificate. Giving it a blank password seems to make it go away.
The OS X bit is more tricky, since there isn't a GUI to do it (that I could find, anyway). Full details of how to do it are on my certificates page, specifically here. Basically, it involves taking a copy of the system trusted certificates store, manipulating it with certtool, then copying it back.
Finally, you can compile / install OpenSSL on OS X. You'd want to do this if you plan on using ported unix tools, which depend on OpenSSL for their crypto stuff. For this, you need to also install the certificate under the OpenSSL framework - detailed here
Ah, such fun, hey?