beautypg.com

About identities, About self-signed certificates, About intermediate trust – Apple Mac OS X Server (Version 10.6 Snow Leopard) User Manual

Page 61

background image

Chapter 4

Enhancing Security

61

About Identities

Identities are a certificate and a private key, together. The certificate identifies the
user, and the private key corresponds to the certificate. A single user can have several
identities; for any given user each certificate could have a different name, email
address, or issuer.

These identities are used for different security contexts. For example, one could be
used to sign others’ certificates, and one could be used to identify the user by email,
and these do not need to be the same identity.

In the context of the Mac OS X Server Certificate Manager, identities include a signed
certificate and both keys of a PKI key pair. The identities are used by the system
keychain and are available for use by various services that support SSL.

About Self-Signed Certificates

Self-signed certificates are digitally signed by the private key corresponding to
the public key included in the certificate. This is done in place of a CA signing the
certificate. By self-signing a certificate, you’re attesting that you are who you say you
are. No trusted third party is involved.

About Intermediate Trust

If you are your own CA, and your certificates are not trusted by the default shipping
root certificates in Mac OS X, your clients can still be configured to trust your
certificates through an intermediate trust.

Trust is the ability of a client to believe the identity of a server when it connects.
A trusted server is a known server that the client can transact with securely, without
interference from outside and unknown parties.

Mac OS X clients follow x.509 trust validation when accepting certificates, meaning
they follow the chain of certificate signers back until they find a trusted root certificate.

Mac OS X lets you specify a trusted anchor (in other words, a certificate that is not a
root CA certificate, but that you trust). A client can trust a certificate closer in the chain
of trust, or even just the submitted certificate itself. Trusting a certificate that isn’t a
shipping root anchor is intermediate trust.

To accomplish this, trust needs to be bestowed on certificates instead of to keychains
(as was done previously). In v10.4, trust was given to certificates in the keychain
called “X509Anchors.” The X509Anchors keychain was deprecated starting with
Mac OS X v10.5.

See also other documents in the category Apple Software: