Safari and self generated ssl certificates https connections

Similar Messages

• IPhone LDAP contacts and Self signed SSL certificates

  Hi,
  I am using OpenLDAP with self signed SSL certificate, and i am unable to get SSL work with LDAP contacts on the IPhone (4.x). I have tried to add a CA cert with a server certificate for the LDAP server and downloaded it to the IPhone by web, it adds the CA, but even with it, it does not want to connect to the LDAP server with SSL enabled.
  Does LDAP contacts should work by adding new CA ? if yes, what is the exact procedure to do it ? (maybe I used a wrong CA export format, or wrong SSL certificate encryption format ...)
  can someone tell me how to do it ?
  This is really anoying, since we have multiple iphones on the company.
  Thanks for the help.

  Hello, found your post.  I realize it's been 6 months since you posted, but I have a solution for you since I have struggled with the same problem since 2009.
  I discovered that when the iPhone is using LDAPS, it tries to bind with LDAPv2.  After it binds, it speaks LDAPv3 like it is supposed to.  Apparently this is a somewhat common practice since OpenLDAP includes an option for it.
  You'll want to set the following option in OpenLDAP:
  dn: cn=config
  olcAllows: bind_v2
  Walla! LDAPS works! (assuming you've correctly done all the certificate stuff).  Took some deep reading through the debug logs to figure out this problem.  Figured I'd share my answer with others.

• Use Webaccess own self generated ssl certificate

  Hi, our Webaccess external CA (Verisign) ssl certificate has expired.
  This was being used for accessing our Webaccess.
  Users get the following message pop up in their browser:
  ourwebaddress.co.uk:443 uses an invalid security certificate.
  The certificate expired on 8/30/2009 00:59
  (Error code: sec_error_expired_certificate)
  We have been asked by management that we need to use our own generated certificate as we do not have enough budget to buy an external CA.
  Would you be able to outline the steps to get the webaccess working with our own generated certificate.
  Remember we have the cluster groupwise postoffices,gwia and webaccess agents in one tree.
  In the other tree we have the webaccess application that apache handles.
  Have not done this before any step by step guidance would be helpful on this.
  Do we need to do anything also with the commgr file etc things like that.
  Regards
  Dennis

  dchitolie,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Safari and Sites with Untrusted certificates

  On my old iPhone 3GS i was able to connect to my work's wireless network by going into Safari and accepting the untrusted certificate that my company has on it's wireless log on page. But now with the iPhone 4, when it comes up with the request to confirm the certificate, Safari crashes and returns to the home screen, is this a know problem with sites like this?

  Similar for me. I try to access my work (Fed Govt) email via the web at an https address and mobile safari asks me to accept the certificate. I do, and it crashes. Worse yet, I called Apple to bring the issue to their attention, they went to 2nd or 3rd tier support and came back to me and said its "3rd party" contact them... VERY dissapointed! This same site loaded fine under iPhone OS 3x
  I even tried to export the cert from mac's keychain and installing it via the iPhone config utility. Even with the profile there, the phone does not recognize the website certificate and asks me to accept it... and it crashes yet again.

• Abandoning Self-Signed SSL Certificates?

  Hello,
  I'm working on remediation of some security flaws and have encountered a finding that calls out each of my domain-added workstations as having self signed SSL certificates.  I'm not an expert on the subject, but I do know the following things:
  1)  An earlier finding lead to me disabling all forms of SSL on my servers and workstations
  2)  Workstations use certificates to identify themselves to other domain assets.
  Now my servers all have their own certs signed by an outside authority.  However, it would be a huge amount of work to go through the process for each and every workstation.  So my questions are these:
  1)  Can I create a NON-SSL self signed cert for these machines to use?
  2)  How do I remove these current SSL certs without having to hover over each workstation?
  Basically, what's the least effort to remove self-signed SSL certs and replace them with something more secure?
  Thanks,
  M.

  What do you mean when you say that you've disabled all forms of SSL on your servers and workstations? SSL serves to provide secure communications for all of your domain operations, so disabling SSL, in general, would likely break your entire domain. If you're
  using certificates on your workstations, then you're using certificate-based security (IPSec) in some manner.
  Do you have AD CS or some other certificate signing authority/PKI in your environment? If not, you would have to pay a public provider (i.e. VeriSign) to provide certificates, and I can assure you that gets very expensive.
  If you have Microsoft servers in your environment, you can install and use Certificate Services to provide an internal signing mechanism which can be managed through group policy. You can replace all of the workstation certificates with ones signed by your
  internal certificate authority (CA,) and those will pass muster with any auditor provided the appropriate safeguards are put into place elsewhere in your environment.
  Least effort for you would be to implement an internal CA, which admittedly isn't a low-effort endeavor, and have the CA assign individual certificates to all of your machines, users, and any other assets you need to protect. If your auditors are requiring
  the removal of the self-signed certificates, you might find a way to script the removal of the certificates. In my experience, however, most auditors just want IPSec to be done with certificates that terminate somewhere other than the local workstation (i.e.
  an internal CA).

• E-Mail Setup fails with self-signed SSL certificat...

  Hi, one of my e-mails is with a small provider who just moved the mail server to Imap and SSL. In Thunderbird, everything works fine, setup on my Nokia C-6-fails with an unspecific error message (and trows away the settings). I asked the provider, and it seems that the problem comes up because the Nokia e-mail application doesn't asked me if I want to accept the certificate but instead rejects it. Is there a workaround to this problem? Is there a way to setup the mail account without using the wizard? Or to take over the settings from Thunderbird? Or a way to put the certificate in the right place manually? In Opera mobile I have no trouble with self-signed SSL certificates. Thanks Cave

  Any one around who can help? Self-Signed certificates are rather common, after all. I would be grateful cave

• I'm connected to the Wi-Fi network OK but safari and email say I'm not connected to internet

  I'm connected to the Wi-Fi network OK but safari and email say I'm not connected to internet so nothing happens.

  You may not really be connected to your WiFi network.
  Your router may not have given your iPad a valid IP address. Go to Settings > Wifi > your network name and touch the ">" to the right to see the network details. If the IP address starts with 169 or is blank then your router didn't provide an IP address and you won't be able to access the Internet.
  Sometimes the fix can be as simple as restarting your router (remove power for 30 seconds and restart). Next, reset network settings on your iPad (Settings > General > Reset > Reset network settings) and then attempt to connect. In other cases it might be necessary to update the router's firmware with the latest from the manufacturer's support web pages.
  If you need more help please give more details on your network, i.e., your router make, model and version, the wifi security being used (WEP, WPA, WPA2), etc.

• Since Updating to 10.9.5 Safari and the App Store drop internet connection periodically while other apps Mailplane and Epic Browser continue to work ?

  Hello.
  Since Updating to 10.9.5 Safari and the App Store drop internet connection periodically while other apps Mailplane and Epic Browser continue to work ?
  Never had this problem previously running a Macmini Server 2010 with the latest Mavericks Updates
  Tried reinstalling over my existing OS and seemed ok until I once again updated to the latest security and Safari updates
  Any ideas ?
  Using ethernet but wireless acts same,
  Cliff

  I also forgot to note that this problem also persists with the new iBooks application. I cannot get past the 'Get Started' screen or access the iBooks Store. Again, all top bar menus are unresponsive.
  DT

• Problem with importing and creating self signed SSL certificate

  Mac Pro, 10.7.2 Server.  Attempting to import or create a self signed certificate for use as ichat.domain.com to encrypt iChat service.  Server is acutally called server.domain.com but has an alias of ichat.domain.com.  I understand that this is probably not best practice but I would like to keep things this way since we have one server, run multiple services on it, but want to continue to connect to each service at SERVICE.domain.com.  We have been using this type of mismatched certificate with success since 10.4 or so.
  I am working through setup of 10.7 Server to replace our 10.6 server. 
  Tried upgrade of 10.6 to 10.7 installation.  The installation made a mess of some services and our Open Directory, but did move the certificate over and allowed iChat service to function properly.
  Clean install and setup of 10.7 Server.  Exported self signed certificate, private key, and encryption password from 10.6 Server and functioning 10.7 upgraded Server.
  On import or manual creation of certificate get the following error:
  Error
  Check your server's logs for more information.  The error (code 5001) was: Expected SecKeychainItemImport to return a SecIdentityRef, but it did not
  Log shows:
  Dec 29 17:56:55 server servermgrd[498]: -[CertsRequestHandler(HelperAdditions) importP12Data:passphrase:error:]: importedItems = (
                "<SecCertificate 0x7fcf6ed43c00 [0x7fff78d96f40]>"
  I have tried importing and manually creating other certificates with a variety of names with success.  I assume that there is something buried somewhere that is causing this particular one to be a problem.  Other than manually removing any remnants of the certificate from /etc/certficates I do not have any ideas what to try.  I am essentially ready to move this server to 10.7 except for this problem and would like to avoid a reinstall.
  Suggestions?
  -Erich

  Take a look here.
  https://bbs.archlinux.org/viewtopic.php?id=146649
  Maybe it's a problem with your network.

• How do I install this self-signed SSL certificate?

  I haven't been able to connect to the jabber server I've been using (phcn.de) for quite some time now, so I filed a bug report with mcabber. The friendly people there told me to install phcn.de's self-signed certificate, but I can't figure out for the life of me how to do that.
  I know I can download something resembling a certificate using
  $ gnutls-cli --print-cert -p 5223 phcn.de
  Which does give me something to work with:
  Resolving 'phcn.de'...
  Connecting to '88.198.14.54:5223'...
  - Ephemeral Diffie-Hellman parameters
  - Using prime: 768 bits
  - Secret key: 767 bits
  - Peer's public key: 767 bits
  - PKCS#3 format:
  -----BEGIN DH PARAMETERS-----
  MIHFAmEA6eZCWZ01XzfJf/01ZxILjiXJzUPpJ7OpZw++xdiQFBki0sOzrSSACTeZ
  hp0ehGqrSfqwrSbSzmoiIZ1HC859d31KIfvpwnC1f2BwAvPO+Dk2lM9F7jaIwRqM
  VqsSej2vAmAwRwrVoAX7FM4tnc2H44vH0bHF+suuy+lfGQqnox0jxNu8vgYXRURA
  GlssAgll2MK9IXHTZoRFdx90ughNICnYPBwVhUfzqfGicVviPVGuTT5aH2pwZPMW
  kzo0bT9SklI=
  -----END DH PARAMETERS-----
  - Certificate type: X.509
  - Got a certificate list of 1 certificates.
  - Certificate[0] info:
  - subject `CN=phcn.de', issuer `CN=phcn.de', RSA key 1024 bits, signed using RSA-SHA, activated `2009-05-04 08:26:21 UTC', expires `2014-04-08 08:26:21 UTC', SHA-1 fingerprint `d01bf1980777823ee7db14f8eac1c353dedb8fb7'
  -----BEGIN CERTIFICATE-----
  MIIBxzCCATCgAwIBAgIINN98WCZuMLswDQYJKoZIhvcNAQEFBQAwEjEQMA4GA1UE
  AwwHcGhjbi5kZTAeFw0wOTA1MDQwODI2MjFaFw0xNDA0MDgwODI2MjFaMBIxEDAO
  BgNVBAMMB3BoY24uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALqS+tnB
  tNruBGdcjw0o+BWSdfkKH4T3VpS7bkrsS0q7RD5iUIao7jH2lJqTk1TrLbQe28+R
  H0X9Ya+w22iYFea2l3wkrTnBfgdSZbRhpSxgVvC2QEBMoSrEQoRpo5lzXadRlob/
  RQ+rhu/cWCNeiRJzfkmNirPVEciGKQHrwKxxAgMBAAGjJjAkMCIGA1UdEQQbMBmg
  FwYIKwYBBQUHCAWgCwwJKi5waGNuLmRlMA0GCSqGSIb3DQEBBQUAA4GBALFBalfI
  oESZY+UyVwOilQIF8mmYhGSFtreEcUsIQvG1+cgD16glKehx+OcWvJNwf8P6cFvH
  7yiq/fhMVsjnxrfW5Hwagth04/IsuOtIQQZ1B2hnzNezlnntyvaXBMecTIkU7hgl
  zYK97m28p07SrLX5r2A2ODfmYGbp4RD0XkAC
  -----END CERTIFICATE-----
  - The hostname in the certificate matches 'phcn.de'.
  - Peer's certificate issuer is unknown
  - Peer's certificate is NOT trusted
  - Version: TLS1.0
  - Key Exchange: DHE-RSA
  - Cipher: AES-128-CBC
  - MAC: SHA1
  - Compression: NULL
  - Handshake was completed
  - Simple Client Mode:
  Unfortunately, the above command spits out more than a certificate. Do I need the additional information? If so, what do I need it for? Where do I need to put the certificate file?

  Hi,
  I recently found out a way how to install test or self-signed certificates and use it with S1SE.
  See:
  http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html
  Follow the instructions there
  1. Create CA
  2. Create root ca certificate
  Now install the root-ca-certificate in S1SE -> Security>Certificate Management and Install a "Trusted Certificate Authority".
  Paste the contents of the file: cacert.pem into the message-text box.
  Then restart the server. Now your CA-Cert should be visible in the Manage Certificates menu.
  The next step is to send a certificate-request from S1SE to your e-mail-address.
  The contents of the e-mail the server sends to you (certificate request) must be pasted into the file: newreq.pem.
  Now just sign the Request:
  CA.pl -sign
  The last step is that you have to paste the contents of the file newcert.pem into the message-box of the Security>Certificate Management - now under the option Certificate for "This Server".
  Then you have to reboot the server/instance again and it should work with your certificate.
  Regards,
  Dominic

• DSEE 6.3.1 and 2048-bit SSL certificates

  Related to my previous post, I'm standing up a new 6.3.1 proxy server and directory server instance that are being added to my existing environment. We use GoDaddy for SSL certificates and they require 2048-bit CSRs, which cannot be generated with 6.3.1 software. That being the case I generated the CSR for each host using openssl with the command:
  openssl req -new -newkey rsa:2048 -nodes -out ldp05_domain_com.csr -keyout ldp05_domain_com.key -subj "/C=us/ST=Massachusetts/L=Cambridge/O=My Corp/OU=Network Operations/CN=ldp05.domain.com"I then took the CSR and received a new signed 2048-bit cert from GoDaddy. I added the GoDaddy root bundle certs into my CA cert chain and then attempted to add the server cert.
  On the directory server I have the problem:
  # dsadm add-cert /usr/local/ds/domain/ ldp05.domain.com /tmp/ldp05.domain.com.crt
  Unable to find private key for this certificate.
  Failed to add the certificate.I get the same error when attempting to add the certificate through DSCC.
  I have a different problem with the 2048-bit certificate on the proxy server. I added the CA cert and that was fine. However, when I add the server cert, it shows up in the CA cert chain.
  # dpadm add-cert /usr/local/dps/domain/ dps05.domain.com /tmp/dps05.domain.com.crt
  # dpadm list-certs /usr/local/dps/domain/
  Alias             Valid from       Expires on       Self-signed? Issued by                          Issued to    
  defaultservercert 2011/02/25 10:08 2013/02/24 10:08 y            CN=dps05.domain.com:389 Same as issuer
  1 certificate found.
  # dpadm list-certs -C /usr/local/dps/domain/|grep dps05
  dps05.domain.com     2011/02/25 11:43 2014/02/25 11:43 n         SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US      CN=dps05.domain.com, OU=Domain Control Validated, O=dps05.domain.comHas anyone successfully added 2048-bit CA signed certificates to both DPS and DS instances? Is there a limitation on the size of a certificate that can be imported as a non CA cert in directory proxy server 6.3.1?

  Sadly after opening a case with Oracle support I was told that the hotfix wasn't built for Linux (which I'm running) and would take 1-2 weeks to complete. I have managed to solve 99% of the issue on my DPS host thus far and have only one remaining issue which is upon adding the cert.
  In order to generate the 2048-bit CSR I had to run the following:
  # cd /usr/local/dps/domain/alias
  # modutil -changepw "NSS Certificate DB" -dbdir .
  # certutil -R -s "CN=dps05.domain.com,OU=Network Operations,O=My Corp,L=City,ST=State,C=US" -o /tmp/dps05.domain.com.csr -d /usr/local/dps/domain/alias -a -g 2048For reference, running the dpadm command to set the cert db password didn't work.
  # dpadm stop /usr/local/dps/domain
  # dpadm get-flags /usr/local/dps/domain
  # dpadm set-flags /usr/local/dps/domain/ cert-pwd-prompt=onOnce I had the properly sized CSR I had the cert issued and attempted to add the root certs to the CA chain and the server cert to the server certificates:
  # dpadm add-cert /usr/local/dps/domain gd-root-bundle gd_bundle.crt
  # dpadm list-certs -C /usr/local/dps/endeca |grep -i daddy
  - This shows the Go Daddy root cert bundle in the CA cert chain
  # dpadm add-cert /usr/local/dps/domain dps05.domain.com dps05.domain.com.crt
  # dpadm list-certs /usr/local/dps/domain
  - Shows only the defaultservercert
  # dpadm list-certs -C /usr/local/dps/endeca |grep -i daddy
  - The server cert now shows up in the CA chain.Does anyone have any idea how I can properly add the new cert to the server cert list so it can be used by the server?

• DSEE7 - DPS and CA-signed SSL certificates

  I recently deployed two new DSEE7 DPS servers and last night was attempting to install CA-signed (GoDaddy) SSL certificates on them. I used dpadm to generate the required 2048-bit CSR and received my certificates. I added them to the servers using the DSCC interface and after adding them and restarting the instance the certs were not showing up. I thought perhaps the operation had failed so I tried again and saw that the alias already existed. I then noticed that the certificate was listed under the CA certificates. I deleted it from there and imported the cert using dpadm add-cert, only to have the same thing happen again.
  dpadm add-cert /usr/local/dps/instance/ dps03.prod.domain.com /tmp/dps03.prod.domain.com.crt
  # dpadm list-certs /usr/local/dps/instance
  0 certificate found.
  # dpadm list-certs -C /usr/local/dps/instance | grep dps03
  dps03.prod.domain.com     2010/01/19 11:08 2013/01/19 11:08 n         SERIALNUMBER=xxxxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US      CN=dps03.prod.domain.com, OU=Domain Control Validated, O=dps03.prod.domain.comI have installed SSL certificates from GoDaddy on all my other production DS and DSEE systems (6.3.1) without issue, including their intermediate and root certificates to complete the trust chain.
  Does anyone have any insight into what the issue might be and how to correct it?

  Hi,
  Have you used the same alias in both case ? . i.e
  dpadm request-cert [options] /usr/local/dps/instance dps03.prod.domain.com
  then
  dpadm add-cert /usr/local/dps/instance/ dps03.prod.domain.com /tmp/dps03.prod.domain.com.crt

• Ipad2 connection to wifi but safari and some other apps won't connect  just started to hapen.  i reset wifi but to no avail

  connects to wifi, but safari and some others say not connected.  weather ap works fine.  this condition just started.  i reset the wifi and restarted, but still doesnt work

  Look at iOS Troubleshooting Wi-Fi networks and connections  http://support.apple.com/kb/TS1398
  iPad: Issues connecting to Wi-Fi networks  http://support.apple.com/kb/ts3304
  WiFi Connecting/Troubleshooting
  http://www.apple.com/support/ipad/wifi/
  iOS: Recommended settings for Wi-Fi routers and access points  http://support.apple.com/kb/HT4199
  Additional things to try.
  Try this first. Turn Off your iPad. Then turn Off (disconnect power cord for 30 seconds or longer) the wireless router & then back On. Now boot your iPad. Hopefully it will see the WiFi.
  Go to Settings>Wi-Fi and turn Off. Then while at Settings>Wi-Fi, turn back On and chose a Network.
  Change the channel on your wireless router (Auto or Channel 6 is best). Instructions at http://macintoshhowto.com/advanced/how-to-get-a-good-range-on-your-wireless-netw ork.html
  Another thing to try - Go into your router security settings and change from WEP to WPA with AES.
  How to Quickly Fix iPad 3 Wi-Fi Reception Problems
  http://osxdaily.com/2012/03/21/fix-new-ipad-3-wi-fi-reception-problems/
  If none of the above suggestions work, look at this link.
  iPad Wi-Fi Problems: Comprehensive List of Fixes
  http://appletoolbox.com/2010/04/ipad-wi-fi-problems-comprehensive-list-of-fixes/
  Fix iPad Wifi Connection and Signal Issues  http://www.youtube.com/watch?v=uwWtIG5jUxE
  Fix Slow WiFi Issue https://discussions.apple.com/thread/2398063?start=60&tstart=0
  Unable to Connect After iOS Update - saw this solution on another post.
  https://discussions.apple.com/thread/4010130
  Note - When troubleshooting wifi connection problems, don't hold your iPad by hand. There have been a few reports that holding the iPad by hand, seems to attenuate the wifi signal.
  ~~~~~~~~~~~~~~~
  If any of the above solutions work, please post back what solved your problem. It will help others with the same problem.
   Cheers, Tom

• Extend self-signed SSL certificate beyond one year

  Hi all,
  How can I extend SSL Certificate created by Windows 2008 R2's Certificate Service beyond 1 year?
  Thanks.

  Hi,
  For self-signed certificate, you can use IIS Manager to create new one. For more detailed steps, please refer to the below steps.
  Create a Self-Signed Server Certificate in IIS 7
  http://technet.microsoft.com/library/cc753127(WS.10)
  If it’s a certificate issued by a CA, we just need to renew the certificate with the CA to extend the valid date.
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• Mail.app: Self-Signed SSL Certificates

  How can I make mail trust self signed mail certificates FOREVER? As it is now, I have to tell Mail.app to always trust the cert for each email account, every time I launch mail. Then it remembers to trust it until I quit mail, then I have to re-tell it all over again. This is bearable on my desktop but on my laptop, where I need SSL the most, I'm constantly logging in and out and rebooting, and it drives me crazy.
  FYI it's my own server, running Mac OS X Server. And I'm not buying a certificate, it's the encryption I'm after

  First, the certificate must match the name Incoming Mail Server that your clients are using. For example 'mail.acme.com'. So, when creating the self-signed certificate, the common name that you enter would be 'mail.acme.com'. If you don't do this, you will always be prompted about the certificate when you relaunch Apple mail.
  Just for clarification, here is how you should trust the self-signed certificate on the Macs that are using Apple Mail:
  1. When you get the prompt about the certificate, click the show certificate button.
  2. Drag the icon of the Certificate on the left in the Show Certificate dialog box to the desktop. This will create a document on your desktop named 'mail.acme.com.cer'.
  3. Double click the certificate on the desktop which will open an Add Certificate dialog box.
  4. Depending on the version of Mac OS X that you are running, what you do next will vary a little.
  Leopard
  1. Click the drop down next to keychain and select System
  2. Open Keychain Access (Applications/Utilities) if it is not already open
  3. Click System on left hand side under Keychains
  4. Locate the 'mail.acme.com' certificate on the right and double-click it to open it. (NOTE: I had to quit Keychain Access and reopen it before the certificate showed up under System for me for some odd reason)
  5. Click the gray triangle next to Trust to expand the Trust section of the Certificate.
  6. Select Always Trust from the drop down next to 'When using this certificate'
  7. Close the certificate window and then quit out of Keychain Access
  8. Click the continue button back in Apple Mail if the Certificate dialog is still present.
  9. Quit out of Apple Mail and the relaunch it again. This time you should not see the certificate dialog alert.
  Tiger
  1. Click the drop down next to keychain and select X509Anchors
  2. Open Keychain Access (Applications/Utilities) if it is not already open
  3. Click System on left hand side under Keychains
  4. Locate the 'mail.acme.com' certificate on the right and double-click it to open it.
  5. Click the gray triangle next to Trust to expand the Trust section of the Certificate.
  6. Select Always Trust Settings from the drop down next to 'When using this certificate'
  7. Close the certificate window and then quit out of Keychain Access
  8. Click the continue button back in Apple Mail if the Certificate dialog is still present.
  9. Quit out of Apple Mail and the relaunch it again. This time you should not see the certificate dialog alert.
  This worked for me. I hope this works for you too.