Manualshelf

Quick Start Manual

ManualsBrandsApple ManualsserversApple Mac OS X v10.4 Smart Card
12345678910
Chapter 2 Setting Up Your Smart Card 9
Using Keychain Access
You must set up Keychain Access to work with your organizations policy. There are two
common methods for verifying the validity of a certificate: Online Certificate Status
Protocol (OCSP) and Certificate Revocation List (CRL). Information about the status of
certificates is stored on a revocation server. The Mac OS X security system can check
with the revocation server to validate the certificate.
Here is an explanation of the settings available:
 Off: No revocation checking will be performed.
 Best Attempt: The certificate passes unless an indication of a bad certificate is
returned from the server.
 Require if Cert Indicates: If the URL to the revocation server is provided in the
certificate, this setting requires a successful connection to a revocation server and no
indication of a bad certificate.
 Require for All Certs: This setting requires successful validation of all certificates. It is
most useful in a tightly controlled environment that guarantees the presence of a
CRL server or OCSP responder.
 Priority: Determines which method (OCSP or CRL) is attempted first. If the first
method chosen returns a successful validation, the second method is not attempted.
Check with your network administrator for the settings required by your organization.
To set certificate validation in Keychain Access preferences:
1 Open Keychain Access, located in the Utilities folder in the Applications folder.
2 Choose Keychain Access menu > Preferences.
3 Click Certificates.
4 Choose settings from the Online Certificate Status Protocol (OCSP) and the Certificate
Revocation List (CRL) pop-up menus to match the requirements of your organizations
policy. If there is no policy in place, it often works well to choose Best Attempt from the
OCSP and CRL pop-up menus.
If you are a U.S. Federal Government Department of Defense user, you need to enable
the X.509 Certificates in Keychain Access.
To install the X.509 Certificates in Keychain Access:
1 Open Keychain Access, located in the Utilities folder in the Applications folder.
2 Choose Edit menu > Keychain List.
3 Click Add (+), and then select X509Certificates located in /System/Library/Keychains/.
4 Click Open.