Keychain and certificate questions

Similar Messages

• Keychain and 1password questions

  Can someone give me a basic rundown of what the Keychain is and how I am supposed to use it?
  Also, I use 1password and it requires me to put in my password every time. It gives me the option to remember the PW in the keychain, but when I select that it gives me a serious sounding warning that basically says it is not safe to do it the keychain is not properly secured which by default it is not. How do I secure it so I can safely save my 1password PW?

  Keychain and 1Password are similar beasts. In fact 1Password uses a separate keychain file to store its passwords. The difference is that 1Password integrates very will with most web browsers available on the Mac.
  The reason 1Password gives you that warning is because by default your default keychain is unlocked when you login to your Mac. And since a lot of people do not even password protect their Macs when the screen saver runs or when waking from sleep, and allow their Macs to automatically log them in when they boot up, that means anyone that can get their hands on your Mac will have access to ALL your passwords in both your keychain AND 1Password.
  It is possible to use Applications -> Utilities -> Keychain Access -> Edit -> Change Settings for Keychain "Login".
  Of course changing those settings will most likely result in Keychain asking for your password when 1Password wants access to it, instead of 1Password
  So if you trust that no one will ever get their hands on your Mac, then allowing 1Password put its password into Keychain will stop the constant password requests. It is your Mac and your information you are trying to protect.
  The main advantage of 1Password is that you only need to remember 1 password instead of several dozen passwords for each web site, or worse using the same single password for every site, so that if some figures out the password to one site would give them access to all your sites. At least with 1Password you can use strong passwords for your web sites and only memorize the password for 1Password.

• Keychain and certificates

  I cant access Hotmail from Safari neither Google Chrome, just from Opera. I think it has something with the certificates, because many pop up windows appear when i use Opera to access Hotmail. Also the certificates are a mess! Can I find a way to restore to original setting that without having to restore my computer?

  Matthew -
  thanks for your reply. Unfortunately this AFP548 article explains a lot about rolling your own CA, but it does not give any hints how to store the certificate data on the directory.
  Marcel Bresink, author of several excellent books about Mac OS X (Server), gave me the hint that the following keys can be stored in an LDAP domain (information from "man DirectoryServiceAttributes"):
  UserCertificate
  Attribute containing the binary of the user's certificate.
  Usually found in user records. The certificate is data which identifies a user.
  This data is attested to by a known party, and can be independently verified
  by a third party.
  UserSMIMECertificate
  Attribute containing the binary of the user's SMIME certificate.
  Usually found in user records. The certificate is data which identifies a user.
  This data is attested to by a known party, and can be independently verified
  by a third party. SMIME certificates are often used for signed or encrypted emails.
  UserPKCS12Data
  Attribute containing binary data in PKCS #12 format.
  Usually found in user records. The value can contain keys, certificates, and
  other related information and is encrypted with a passphrase.
  Perhaps someone else has already managed to fill those keys so Keychain Access on connected clients can retrieve the Certificates.
  - Norbert

• (SSL?) Certificates, Safari, and blue question marks

  Recently I ran into some trouble with Mail and messed around with my certificates and Keychain a fair bit. Nonetheless, everything seems to be fine, except Safari. A problem I would run into intermittently before now dominates my online experience.
  I encounter images being replaced with blue question marks very frequently. Additionally, on webpages with logins and forms (e.g. eBay, Paypal), the formatting of the page is nearly nonexistent. Fonts, pictures, all missing--everything is just mashed together. I can still login, though. Before loading any webpage on which this happens, Safari notifies me that the page might not be secure. I click continue, and voila, blue question marks.
  If I then Ctrl-click on one of the question marks and choose "Open image in new tab", I get a certificate error, usually with what appears to be an image server. The message usually goes something along the lines of, "Safari can't identify the identity of the website "images-na.ssl-images-amazon.com". The certificate for this website is invalid. You might be connecting to a website that is pretending to be "images-na.ssl-images-amazon.com" which could put your confidential information at risk. Would you like to connect to the website anyway?"
  If I then click "Show Certificate", I see that "This certificate has an invalid issuer" If I check the box "Always trust these certificates" and reload the page, the image shows up. If I then go back to the original page and reload it, all images appear. This also solves my problem with forms and page formatting.
  However, this is obviously a pain. And a bit disconcerting, to boot. I've tried clearing the cache, resetting Safari, reinstalling Keychain and Safari via Pacifist, to no avail.
  Any thoughts on navigating this issue? It seems to occur primarily (if not entirely) with SSL certificates. . .
  Hopeful,
  a.

  Hi, aresnick, is that as in old lace? on the very long state named road?
  I looked in Safari help for "SSL certificates" in 10.3.9 and in 10.4.7 this term "Certificate". Irregardless both give the same message:
  Accessing websites that require a personal certificate
  If you need to access a website that requires a personal certificate, you will be provided with a certificate and instructions for installing it in your keychain.
  Once your certificate is installed in your keychain, you should be able to gain authenticated access to the website automatically.
  If you are unable to access the website, contact the website administrator.
  continue Safari Help: Deleting data saved from web forms
  If you select the option to automatically complete web forms using information from other webpages, Safari saves information you enter. You can delete this information, if you choose.
  Choose Preferences from the Safari menu and click AutoFill. Click Edit next to the "Other forms" checkbox. Select the item you want to delete and click Remove. If you want to delete all the items, click Remove All.
  If you don't want to use data from other web forms, deselect the "Other forms" checkbox in the AutoFill pane of Safari preferences.
  The Blue question mark and images do not appear appear, safari help:
  Images don't appear
  If webpage images don't appear, the option to display images may be turned off or there may be a problem with your network.
  Choose Preferences from the Safari menu and click Appearance. Click to select "Display images when the page opens."
  If the option is already selected, trying reloading the page. Choose Reload Page from the View menu.
  Therefore if i were you I would follow the instructions listed from Safari Help. I would also Reset Safari, which clears the history, empties the cache, clears the Downloads window, and removes all cookies. It also removes any saved user names and passwords or other AutoFill data and clears Google search entries. (see reset Safari in Help for more info)
  Then run perm. repair & a restart of the computer.
  You might want to look into updating to 10.4.7 following same steps as underlined in a. brodies in link posted to you earlier, in this thread.
  Good Luck.
  Hth. Please post back to let us know, how you did .
  Eme
  edited by: Eme x2

• Certificate Widget and Random Question Slides

  I am in the process of evaluating Captivate 4. Twice now I have had an issue with using the random question slides with the certificate widget. In both cases I converted a Captivate 3 course in which the random question slides and corollary question pools had worked as they should. In both, I successfully added the certificate widget to the new course (Captivate 4) following the instructions in help.
  In the first course, only one question pool would work. The others simply showed up as a blank slide. I was able to fix that by merging all the questions into the one working question pool. Wasn't the way I had wanted to randomize the questions, but it allowed me to publish the course. The certificate widget did work.
  In the second course, none of the questions pools are working and the published version of the course skips right past the random questions that had been interspersed after each topic area. One again, this course had worked just fine in Captivate 3 and with Captivate 4, without the certificate widget. I do not wish to combine all the questions into one question pool. As I noted, I published the course without the widget and the questions worked just fine.
  This leads me to believe that I am doing (or not doing) something when I include the widget that is causing the problem. I can't imagine what that would be, but the fact that no one else seems to have posted this issue makes me think it is something I'm doing.
  I am not using an LMS. I'm publishing to .html file that resides on our LAN.
  I hope someone can help!
  Thanks!
  Susan

  Hi Peter,
  A number of users (myself included) have encountered issues with the random question slide feature - some of which is due to browser cacheing. If you can spare the time please use the web address I have included below to report this issue to the Adobe Captivate team.
  Adobe Captivate Feature Request/Bug Report Form 
  Best - Mark
  Visit the macrofireball blog

• Keychain Access and Certificates?

  I was looking for information on a password manager and remembered that Apple has Keychain Access as part of the OS.
  I am trying to understand how it works and only find the Help files available for reading. I am missing a somewhat deeper overview and understanding, not just a list of 'how to ...' instructions.
  Can anyone point me to articles or documentartion to help understand this application?
  While poking around in Keychain Access, I noticed 175 unique certificates on my Mac under the Keychain called 'System Roots'. I looked at the information on several and am unable to interpret the information, nor the Trust settings available. Also, the Certificate Assistant options available for Viewing and Evaluating Certificates.
  My biggest concern is that I do not recognize most of these certificates, and do not understand how they got on my computer, and what happens if I remove them?

  Thanks - I looked at several of the links, but I'm not a software engineer.
  I'm looking for documents that are geared to a user of the product (OSX), to help me understand all the things I see when opening up Keychain Access, and understand what they do, and a layman's description of the certificates and what happens if I delete them.
  Also, a brief overview of the keychain and how it is used, how it is useful, etc.
  Just can't seem to find the user oriented documentation...

• Question concerning WebService and certificates

  Hi, well i'd like to get data from a WebService. Scenario is RFC to WebService in SAP XI.
  Therefore i also have to use user&pw and a certificate key i got previously!
  So i created the receiver channel and now i am stuck. There is the option User Authentification and Configure Certificate Authentication. What do i have to use and how to configure. I know i have to use the keystore-service in VisualAdmin, but how?!
  I already read this: /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter but it does not fir my needs actually.
  Again, i have user&pw AND certificate-key (only key in plain characters!). how to use these 3?!
  thx in advance, br

  Hi Jens,
  Go through following pdf. It will clear some of you doubts.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc
  -Pinkle

• Server 2012 R2 - Essentials Experience - - I jacked my CA and certificates all to @#&$%!!

  Windows Server 2012 R2 - Essentials Experience
  In trying to put pieces together, I jacked my CA and certificates all to @#&$%!!
  Some of the factors involved are:
   Server0 - Hyper-V Host
    Server1 - DC, 2012 R2 Essentials Experience role
    Server2 - Exchange 2013
   Client Machines -
    Windows 7 Pro
    XP (Yes, these are my cross to bear... - worth noting their presence, but I'm working them out) 
   The functional requirements:
    Anywhere Access for Remote users
     - Remote Desktop for Windows 7 machines
    Outlook Web Access
  The mistake... 'Web Application Proxy'
   -which uninstalled the CA
  There is a CA back now, but after days of spinning in cirles in a rare area where I feel nearly completely lost (Certificate services) I am asking for help getting these pieces put back together.
  The current situation:
   The network is up with all of the network and business services required to work 'Inside the Office' - so the client is "functional".
   The "Essentials Experience" is broken and won't install to the clients, though it does provide the Essentials website, access to server shared files (fairly gracefully, I might add) and, as an administrator user, I can get to the servers via
  RWA through the site and there are no certificate problems with that since I have a secured certificate for the domain. 
   OWA has been moved to a further back burner while I try to get the Essentials Experience functioning t the point where the remote users can get to their workstations through RWA... This is the biggest current hurdle... RWA for the clients.
  Trying to install the client to the workstations nets me the "The Server is not available.  Try connecting this computer again,..." message at the point of username and password authentication.
  The clientdeploy.log finishes like this:
   [4976] 141016.153746.2670: ClientSetup: Standard Error:
   [4784] 141016.153746.2670: ClientSetup: The exit code of the process (C:\Windows\system32\nslookup.exe) is: 0
   [4784] 141016.153746.2670: ClientSetup: Set CD Fail reason 10 for SQM in ClientDeployment.exe
   [4784] 141016.153746.2670: ClientSetup: RecordClientDeploymentFailReason: Save registry failed in ClientDeployment.exe : System.UnauthorizedAccessException: Cannot write to the registry key.
    at Microsoft.Win32.RegistryKey.EnsureWriteable()
    at Microsoft.Win32.RegistryKey.CreateSubKeyInternal(String subkey, RegistryKeyPermissionCheck permissionCheck, Object registrySecurityObj, RegistryOptions registryOptions)
    at Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck)
    at Microsoft.WindowsServerSolutions.ClientSetup.ClientDeploy.Helper.RecordClientDeploymentFailReason(UInt32 failReason)
   [4784] 141016.153746.2670: ClientSetup: Exiting ValidateUserTask.Run
   [4784] 141016.153746.2670: ClientSetup: Task with Id=ClientDeploy.ValidateUser has TaskStatus=Failed
   [4784] 141016.153746.2670: ClientSetup: Task with Id=ClientDeploy.ValidateUser has RebootStatus=NoReboot
   [4784] 141016.153746.2670: ClientSetup: Exting ConnectorWizardForm.RunTasks
   [1272] 141016.153755.0976: ClientSetup: Back from the Client Deployment Wizard
   [1272] 141016.153755.0976: ServerDiscovery:HostsFileUpdater: Removing hosts file entry: 1-WGB-01
   [1272] 141016.153755.0976: ClientSetup: Saving Wizard Data
   [1272] 141016.153755.0976: ClientSetup: End of ClientDeploy: ErrorCode=1603
  The computerconnector.log shows nothing of value.
  What I want to accomplish as a 'first step' toward recovery is to get the workstations properly connected so they show up in the Dashboard 'Devices' pane and can be managed and access by the Essentials tools.
  Secondarily, I would like to get the client side tools in place and functioning (I expect the latter will be a side effect of the former).
  So,... for anyone patient enough to have read this far... uh,... help?

  Actually,... I can now confirm the delicacy of which you speak...
  After a support incident with Microsoft which spanned a marathon 18+ hours on the phone and remote access by no fewer than 7 Microsoft Engineers, we got to a successful result. 
  It is a point of utter frustration for me when people put in threads like this then don't bother to come back and report 'how the issue was solved', and sadly, I am about to have done that merely because my span of functional attention and valuable reporting
  capability was basically gone before I submitted the ticket and following all that was done in my state was not conceivably possible. 
  So - all I can do is apologize for not being able to report a valuable resolution and give a few little tidbits.
  The net result is this - DO WHAT YOU CAN TO AVOID THE SITUATION IN THE FIRST PLACE.  Once your CA is in place, LEAVE IT THE $%@& ALONE!!!!  I mean... my best current advice.
  In all, the CA was uninstalled and reinstalled 4 times after my blunder and significant work was done in ADSIEdit as well as substantial manual manipulation of certificates and CAs that was well outside of my (quite considerable) scope of expertise.
  I wish I had more to offer in the world of resolution.
  With this said, I will make one more request of viewers and moderators alike:
  THIS QUESTION IS OFFICIALLY NOT ANSWERED.  IT WILL NEVER BE ANSWERED.  THE RESOLUTION IS NOT AVAILABLE TO THE MORTAL MAN.
  DO NOT MARK IT AS ANSWERED
  IF YOU MUST DO SOMETHING, DELETE THE WHOLE THREAD, BUT DO NOT BURDON PEOPLE WHO ARE LOOKING FOR REAL ANSWERS WITH THE NECESSITY OF READING THROUGH THIS.
  DO NOT MARK THIS QUESTION AS ANSWERED
  I hope this makes sense for people, and I hope people will appreciate NOT having to read this as though there is some 'resolution' contained within.

• Using iCloud as iDisk, and other questions . . .

  Friends,
  I am used to keeping my iDisk on the desktop of all my computers, so with one quick click I can get to all my stored documents. I travel a lot and keep all my work documents on the iDisk.
  The iDisk icon still shows on my 27" iMac, but no longer shows on my macbook (both running Lion).
  I know that Apple wants everyone to move to iCloud (and I still don't know what the difference is--what features iCloud has over Mobile Me), but here's what I want to do . . . can anyone help?
  1. Keep my iCloud drive on my desktop just like I do with iDisk.
  2. Still have access to "gallery" so I can host photos. As I understand it, this feature is going away with iCloud. True?
  3. I am using iCloud on all my devices (at least it's on all my devices, turned on), but the MacBook isn't syncing. So, if I remove bookmarks on my iMac, the MacBook isn't getting them.
  4. *** does iCloud offer me (of value) over MM?
  Thanks.

  Here to answer questions.....I thought WC was longer with us....good answer.
  I agree MM had the features I really liked (am was a very long time .mac member).  iCloud will only get better at least that's my dream.  I don't miss iDisk but certainly miss keychain and mail preferences sync.  I hate the thought of making a new encrypted spare image then saving the keychain on my other computers. 
  Just wait...............................I think iCloud will evolve into super sync for all Apple devices.   Thats what all Mac users yearn for (wait for OS 11.0 code name Cirrus).
  Cheers

• Fixing Fan Noise Created Keychain and Connectivity Problem

  This will kind of be long so bare with me...
  I occasionally will get the dreaded "fan running out of control/noise" scenario with my Power Mac G5 Dual 2Ghz (Mac OS 10.5.6). I usually run through the usual steps, re-set PMU switch, re-set nvram, run repairs with Disk Utility, boot up under a different startup disk, etc. Eventually something works and the fan returns to normal. This time around none of those steps worked but after 20 minutes the fan went back to normal by itself. Go figure...
  At the same time this was happening, my computer would not connect to the Internet. The router's (which is connect to a cable modem) status lights said I was connected but my computer could not automatically get the DHCP information nor could it reach the router's control panel via Safari. I have a PC also hooked up and it was connecting to Internet fine and it was able to access the router's control panel via Firefox. At this point, I was hoping the ethernet hardware was not going bad.
  Not only that, I could not access my keychain formation. When I selected any items and tried to show password, it gave me the error message about unable to access keychain item. I ran First Aid on the Keychain and it reported no problems.
  My main startup disk is running Mac OS 10.5.6. This version of the OS has been running fine for the past couple of days before all this happened. I have a second startup disk which has Mac OS 10.4.x installed. I tried to boot up with that startup disk (OS 10.4.x) and the computer was able to connect to the Internet fine. That ruled out the hardware. I booted up with the main disk (OS 10.5.6) again. Surprisingly enough I had Internet connectivity again. My keychain was almost back to normal. The only problem is that for any item I select to show password for, a pop up window appears saying "Keychain Access wants to user your confidential information stored in "xxxxx" in your keychain. Once I select the Always Allow button the information is displayed.
  So my questions are:
  1. Why did my computer "refuse" to connect to the internet in this odd manner?
  (BTW -- I am using OpenDNS with the router, could this have contributed to the connectivity issue?)
  2. Why did booting up with a different startup disk seemingly corrected the problem?
  3. In the Keychain, is there a way to apply "Always Allow" as a group instead of one by one?
  4. Is this an unforeseen side effect of updating to OS 10.5.6?
  5. Could any of this have been avoided?
  Thanks.
  Message was edited by: Carlton Chin
  Message was edited by: Carlton Chin

  FYI to all the helpful folks here (and any looking to shut their jet engine off as well): Flashing the BIOS did the trick.
  First I had to find a website with DOS OS files and put those on the USB instead of Vista.  Oldie but a goodie, but at least it booted! No other versions would.
  I had been intending to use the WinPhlash utility that Lenovo supplied with the BIOS update but since I was booting from DOS that was useless. However, I found a DOS version of it and used that instead. Boom baby!  Flashed and rebooted. 
  It did take two boots to get it back to normal (first one gave very alarming messages about no operating system being found but I think it was just a remnant of the reboot that was triggered from the DOS session).  A second boot returned life to normal and blissful silence from the server.  And I was finally able to get the model and serial number back in there to get rid of the bootup message it throws for that too.
  Ahhhhhhh. 
  Thanks to all for the hints - I believe I had gotten the idea of flashing the BIOS to solve this from some other thread I found here.  This is a very nice forum to have bookmarked.  

• Digital signature and certificates on Mail

  Hello All,
  I'm new using mac and i have a token with my digital certificate. So i wanna know:
  How can i use subscribe or use a digital signature on Mail. How can i use my certificate to sign the message.
  Thanks,
  Altemir Pacheco

  Altemir ... It's important that the certificate has been created for the e-mail address you want to use as sender e-mail. Your certificate needs to be imported into keychain. Keychain only accepts certificates in a number of formats, among them .p12. You can import in a number of ways, you can for example drop your .p12 file (the certificate) on the keychain icon. Then open keychain and check whether the certificate is visible under "my certificates". It has to appear there and it has to show as "valid" and not as "expired". Control-click on the certificate and set-up a new preferred identity for your e-mail address (I am not sure whether this step actually does any difference but give it a try). Close mail.app and restart mail.app. When you now create a new e-mail and you choose as sender e-mail the e-mail address for which you have the certificate then you should see on the right side, just below the subject line a little symbol which you can click on for activating the signature for the e-mail your writing. Hope all this works.

• KeyChain and Password Security

  Could someone please explain to me the answer to this conundrum? If I secure a file with a password, I am asked whether I want to add it to my KeyChain. If I do so, the file can be opened in the ordinary way by double-clicking on it. So what is the point of the password?
  A related question is that I am also asked (and even recommended) to provide a password hint. What is the purpose of that?
  Thank you, Mac experts, in anticipation of an elucidation of these mysteries.

  You are right. I should be the only who has access to the passwords. But I am not. I am the only person in my house who uses my computer, so I do not log out when I shut it down. The consequence is that if a burglar were to break in, or a dinner-guest were to bring along a friend with criminal tendencies, that person would only have to start my computer up and s/he would have access to my keychain.
  Even if I were always to log out when shutting down, logging back in only requires a single password, which may or may not be easily guessed.
  It is quite clear that, as dwbrecovery said earlier in this string, I should not add the passwords of password-protected confidential documents to my keychain, and I have removed the one for the document I was concerned about from my keychain.

• Does Anybody know how to keep the license files and Certificates in ISE-3315 During the upgrade.

  Hi,
  I have two ISE-3315 Appliances in production network.
  I need someone's help to explain, how to make the Secondary node as the primary admin note to reset-config.
  And then I would like to know how to keep the license files and Certificate during the Upgrade.
  Please help me to answer my questions.
  Thanks
  CSCO11872447

  The Cisco Identity Services Engine (ISE) provides distributed  deployment of runtime services with centralized configuration and  management. Multiple nodes can be deployed together in a distributed  fashion to support failover.
  If you register a  secondary Monitoring ISE node, it is recommended that you first back up  the primary Monitoring ISE node and then restore the data to the new  secondary Monitoring ISE node. This ensures that the history of the  primary Monitoring ISE node is in sync with the new secondary node as  new changes are replicated.
  Please  Check the below configuration guide for Secondary ISE- Nodes.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.pdf

• How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

  Hi Team,
  We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
  Thanks

  I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
  Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
  Hope this helps!
  Thank you for rating helpful posts! 

• Transfer posting and Certificate of Analysis (BWUL)

  Moderator note:  I broke this off from discussion Transfer posting and Certificate of Analysis (BWUL)
  Please refer to the discussion for any background.
  This has been an interesting thread, and it's circling around the issue I am having, but I can't tell if this thread answers my question or not.  I'll ask here so as not to proliferate duplicate threads:
  I am in an environment where the business produces and tests finished goods in satellite plants and then moves them to a central DC via STO.  When I try to create COAs from the central DC, the COA program cannot find the results or specifications.
  I had the idea to change the profile to look at the production chain (thinking the batch in the production plant was part of the production chain of the identical batch in the DC).  When I did this, the program could not find the correct specifications.  I have been messing with the configuration around the results and specification origins with no success.
  I feel like this should be possible, but I can't figure out what I am missing.  Is SAP able to create a COA from a central DC for a material/batch that was produced in a satellite plant and sent via STO?
  Message was edited by: Craig S

  1) in the BWUL make sure in configuration setup it is set to include stock transports.
  2) You don't indicate where you maintain your specs.  In operations like this you should try to be reporting specs and results from the batch.  But I'm guessing you might be keeping the spec in the inspection plans only.
  3) in the COA profile, you can create your own custom FM for "results origin" and for "results specs".  You may need to create them if you keep your specs in the plans and not in the batch records.
  Craig