beautypg.com

Using keychain access – Apple Mac OS X v10.4 User Manual

Page 9

background image

Chapter 2

Setting Up Your Smart Card

9

Using Keychain Access

You must set up Keychain Access to work with your organization’s policy. There are two
common methods for verifying the validity of a certificate: Online Certificate Status
Protocol (OCSP) and Certificate Revocation List (CRL). Information about the status of
certificates is stored on a revocation server. The Mac OS X security system can check
with the revocation server to validate the certificate.

Here is an explanation of the settings available:

 Off: No revocation checking will be performed.
 Best Attempt: The certificate passes unless an indication of a bad certificate is

returned from the server.

 Require if Cert Indicates: If the URL to the revocation server is provided in the

certificate, this setting requires a successful connection to a revocation server and no
indication of a bad certificate.

 Require for All Certs: This setting requires successful validation of all certificates. It is

most useful in a tightly controlled environment that guarantees the presence of a
CRL server or OCSP responder.

 Priority: Determines which method (OCSP or CRL) is attempted first. If the first

method chosen returns a successful validation, the second method is not attempted.

Check with your network administrator for the settings required by your organization.

To set certificate validation in Keychain Access preferences:

1

Open Keychain Access, located in the Utilities folder in the Applications folder.

2

Choose Keychain Access menu > Preferences.

3

Click Certificates.

4

Choose settings from the Online Certificate Status Protocol (OCSP) and the Certificate
Revocation List (CRL) pop-up menus to match the requirements of your organization’s
policy. If there is no policy in place, it often works well to choose Best Attempt from the
OCSP and CRL pop-up menus.

If you are a U.S. Federal Government Department of Defense user, you need to enable
the X.509 Certificates in Keychain Access.

To install the X.509 Certificates in Keychain Access:

1

Open Keychain Access, located in the Utilities folder in the Applications folder.

2

Choose Edit menu > Keychain List.

3

Click Add (+), and then select X509Certificates located in /System/Library/Keychains/.

4

Click Open.

See also other documents in the category Apple Software: