How to manage multiple certificates in the Apple Key Chain with Apple Mail in mind?

1

I would like to ask about proper management of SSL certificates in Keychain. An article on holeyn.com says:

The only time it might be useful to have multiple key-pairs (...) In this situation, you can either temporily make the old key-pair available in the keychain and then remove it, or have the old key-pair in the keychain along with the new key-pair and hope that Apple Mail will never select the wrong key for signing new emails.

So far I have only a few certificates in the keychain. So I understand that:

  • whenever someone sends me an encrypted message (meaning he has my public key) I use my private key to decrypt it. To read an email from 2 years ago I need to keep my private key, despite it may expire

  • if I have several keys in my Keychain (and just one which is not expired), Apple Mail will figure it out which key is the proper one for decrypting the message and it will use it?

  • if I have several keys in my Keychain assigned to a single address, and several are valid (as in not expired) there is no possibility of manual choosing the key.

Questions:

  1. Am I right in the above?
  2. In the case when there are several keys in my Keychain but only one is not expired, will Apple Mail use that key to encrypt my messages?

Lacek

Posted 2016-02-19T09:19:06.430

Reputation: 194

I removed the completely unrelated [tag:gnupg] tag from your question. If you consider it relevant, you should probably explain where GnuPG/OpenPGP is connected to your question. – Jens Erat – 2016-02-19T10:59:52.783

Ok thanks, actually I am not going to contest removal of that tag. It was out of place. – Lacek – 2016-02-19T11:24:46.920

Answers

0

  • whenever someone sends me an encrypted message (meaning he has my public key) I use my private key to decrypt it. To read an email from 2 years ago I need to keep my private key, despite it may expire

Indeed. The key remains usable and is still required for decryption, but expiration will indicate the key shouldn't be used for new messages any more (either others encrypting messages to you, or you signing new messages).

  • if I have several keys in my Keychain (and just one which is not expired), Apple Mail will figure it out which key is the proper one for decrypting the message and it will use it?

Yes. Apple Mail will choose the matching key for decryption, as only this can be used for this purpose. The other keys do not matter at all.

  • if I have several keys in my Keychain assigned to a single address, and several are valid (as in not expired) there is no possibility of manual choosing the key.

By default, Apple Mail will choose "some". Usually, the newest key will be chosen -- but I did not verify this for Apple Mail when I had the issue some years ago. And in fact, there are mechanics to choose one preferred key for a mail address using the New Identity Preference menu.

Jens Erat

Posted 2016-02-19T09:19:06.430

Reputation: 14 141

Asked: 2016-02-19T09:19:06.430

Viewed: 313 times

Active: 2016-02-19T12:34:05.827