Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Root Certificate Issue

0 views
Skip to first unread message

suppe...@officeformac.com

unread,
Nov 21, 2008, 7:37:41 PM11/21/08
to
Operating System: Mac OS X 10.5 (Leopard)
Processor: Intel

I am aware of the leopard x509 thing. I added it to my keychain but I still can't connect to the corporate network msn network. I think that I need to actually obtain the certificate to be installed to the x509 keychain. The problem with that is that IT refuses to provide any support because I am on a mac. So I am wondering if there is anyway that I can get the certificate from the PC that also sits on my desk and can sign in just fine.

suppe...@officeformac.com

unread,
Nov 21, 2008, 7:55:59 PM11/21/08
to
I found this as I was doing more searching.

<http://[Name> of the Server which hosts your Certification
Authority]/certsrv

So I went there and I was able to download a certificate. I installed it to the x509 keychain first, then the system, then the login. None of it worked. I get the same error about not having a certificate. I also get an error when I open entourage saying it can't make a secure connection which was also not solved by adding the certificate.

n1ck...@officeformac.com

unread,
Nov 26, 2008, 12:30:41 PM11/26/08
to

Had similar issues. After installing the X509Anchor keyring so that you can access it, you'll need to do the following

Access http://<your_organization's_CA_FQDN/certsrv/ <http://<your_organization's_CA_FQDN/certsrv/> and log in with your username and password. On the first screen that comes up, click on the link at the top to download the CA chain for that authority. Save the certnew.cer into a directory you're familiar with.

Open up your Keychain Access and then open the X509Anchors section. Select Import from the menu at the top and point it to certnew.cer. You'll be prompted that it will accept this cert and ALL certs provided by this CA. Tell it OK

Once that's done, you should trust that CA and all of its certs.

Regarding your e-mail, it's common for the e-mail server to have a cert that is the public name. E.g., if your mailserver is MAILSERVER01.mydomain.com internally, but you access webmail by going to <http://mail.mycompany.com>, then put in 'mail.mycompany.com' as the server in Entourage and it should stop that error message.

Good luck!

n1ck...@officeformac.com

unread,
Nov 26, 2008, 1:11:25 PM11/26/08
to

Lastly, I should mention that these instructions will only work if you're talking about a cert that was issued by an internal CA running on a Windows AD network. If you have a cert that was provided by a third party (VeriSign, Thawte, GoDaddy, etc.) then you wouldn't need to import the cert into the X509Anchors keychain.

You may also want to ensure that the IT department has properly created the certificate that is assigned to your OCS / LCS installation. If they set it to the machine name instead of the pool name, you'll need to tell your client to use the machine name to connect as opposed to the pool name or you'll get a certificate mismatch error as well.

e.g., in our environment, we have lcspool1.ourinternaldomain.com, and the servername is server-ocsfe1.ourinternaldomain.com. Our TLS cert is configured for the pool name (as it should be) and so we tell our clients to connect using lcspool1.ourinternaldomain.com. If the TLS cert was for ocsfe1.ourinternaldomain.com, we would need to set that as the server name for the client to ensure that the cert matches what we're connecting to.

0 new messages