Quarter Life Crisis

The world according to Sven-S. Porst

« DocumentsMainReads »


439 words

This is actually mentioned in the help for Apple's Mail program but I can't find it anymore and nobody in their right mind would look there for advanced information anyway...

The danger with system upgrades is that they break things. They won't break the whole system but the behaviour of the system will change more or less subtly here and there, things start to behave strangely and look broken this way. OS X.3 is no exception there. My dad checks his work e-mail via an SSL encrypted POP3 connection. This used to work just fine in X.2. In X.3, however, Mail would complain about the certificate used by the mail server.

Apparently, they had generated that certificate themselves and it wasn't signed by an 'authority', so Mail considers it invalid. While this may be a good idea security-wise, having Mail come up with a dialogue asking what to do about that certificate every time the application is launched isn't nice. It will look like a blatantly bad idea if the person using that computer is absolutely allergic to changes that make it harder to use.

Thus, I saw myself going to the net and find information about that strange 'X509' keychain thing, obscure terminal commands and learning enough about certificates to actually extract the mail server's certificate from Mail. Ugh. No fun. But then I stumbled across that section in Mail's help:

Icon for certificate Whenever you're presented with a window asking things about a certificate and that is capable of displaying the certificate's information there will be an icon displayed for the certificate. This isn't just for decoration but it is in fact draggable. Dragging it to the desktop will give you a text clipping containing the information displayed in the window. Holding option and dragging it to the desktop will create a '.cer' machine readable file containing the certificate.

It can be double clicked in the Finder and be imported into the keychain that way. If you're lucky, the keychain application will give you the option to add the certificate to the 'X509' keychain after entering your administrator password. Once you've done this you won't be bothered again.

The caveat in the previous paragraph was 'if you're lucky'. Somehow this option isn't given for all certificates. E.g. when trying to use an SSL encrypted POP connection with the GMX web mail service the option isn't available. I don't understand why this happens, but it does. Also, I wonder whether the same technique could in theory by used by Safari to permanently trust web site whose certificates can't be verified by the program. More information on this topic will be appreciated.

November 11, 2003, 11:42


Trackback “Certifiable” from freeform goodness:

As unfashionable as it is to suggest a public sector solution to a problem that is (allegedly) being handled by the private sector, I think that personal certificates, at least, are something that governments, particularly at the state or province leve…

November 12, 2003, 17:33


Comment by Tom Insam: User icon

I get very similar behaviour, as I get my mail over encrypted IMAP. Except that as I drag the cert out, Mail.app freezes, and I have to force-quit it. Great.

November 11, 2003, 16:01

Comment by ssp: User icon

Tom: That sounds unfortunate. I don’t know about an ssl imap server, so I couldn’t check that one. All I can say is ‘works for me using POP’. Not much help, I guess.

November 13, 2003, 0:38

Comment by Michael Hall: User icon

The lockup happens if you try to drag the certificate icon upon opening Mail.app. To stop the lockup, you’ve got to click “Cancel” at the certificate challenge, then bring the IMAP account online from within Mail.app proper. Then you can “Show Certificate” at the certificate challenge and it’ll act as it should, draggable and all.

September 25, 2004, 8:50

Add your comment

« DocumentsMainReads »

Comments on




This page

Out & About

pinboard Links