28
4
Using client certificates with Safari present a number of problems:
How can I fix these issues?
apinstein
Posted 2011-10-05T13:33:56.387
Reputation: 1 101
31
Safari's client certificates and related preferences are stored in Keychain Manager with a kind of certificate.
When you select a certificate to use with a web site, it stores another entry in the Keychain Manager with a kind of identity preference. Unfortunately, by default it stores it only for the exact page you were on. Both the name and location are set to the URL of the page.
To fix this, you can just edit one of the identity preference entries and change the where section to the base URL, like https://somesslsite.com/ (the trailing slash is important!). I also update the name to the same thing to prevent confusion. You can then delete all of the other identity preference entries for that site.
If you have a certificate that expired and you've had to add a new one, I would recommend that you delete the old certificate entries and all of the related identity preference entries.
To find certificate and identity preference entries, open Keychain Manager, make sure All Items is selected, and search for the partial URL and/or certificate name as appropriate. You probably don't have many, so if that doesn't work just sort the list by kind and you should be able to find them easily.
NOTE: I'm answer this myself since I figured it out but wanted to persist the knowledge for myself and others.
apinstein
Posted 2011-10-05T13:33:56.387
Reputation: 1 101
21
Partial paths and wildcards are now supported in more recent versions of OS X. So you can use the Keychain Manager to create an identity preference for an entire web site and/or domain.
Partial path example (note that the trailing slash is required!):
https://server.mydomain.com/
Wildcard example:
*.mydomain.com
Full details here (from 'man security' page):
Prior to 10.5.4, identity preferences for SSL/TLS client authentication could only be set on a per-URL basis. The URL being visited had to match the service name exactly for the preference to be in effect.
In 10.5.4, it became possible to specify identity preferences on a per-server basis, by using a service name with a partial path URL to match more specific paths on the same server. For example, if an identity preference for "https://www.apache-ssl.org/" exists, it will be in effect for "https://www.apache-ssl.org/cgi/cert-export", and so on. Note that partial path URLs must end with a trailing slash character.
Starting with 10.6, it is possible to specify identity preferences on a per-domain basis, by using the wildcard character
*as the leftmost component of the service name. Unlike SSL wildcards, an identity preference wildcard can match more than one subdomain. For example, an identity preference for the name*.army.milwill matchserver1.subdomain1.army.milorserver2.subdomain2.army.mil. Likewise, a preference for*.milwill match bothserver.army.milandserver.navy.mil.
DanJ
Posted 2011-10-05T13:33:56.387
Reputation: 311
The "File->New Identity Preference" menu item seems to have disappeared (as of Keychain Access 10.5). Now I can only find it in a contextual menu if I control-click on a certificate. – jhfrontz – 2020-01-29T15:01:03.217
Strange @jhfrontz... I am also running 10.5 and I still see the "File->New Identity Preference...". 4th item down under "New Keychain...". Are you sure you have a certificate selected? – DanJ – 2020-01-30T16:33:49.180
Worked for me (running Safari 7.0.1 on Mac OS X 10.9.1) – Tafkadasoh – 2013-12-19T11:07:42.597
3
I've been struggling with this myself and the above answer made me realize what was going on.
If you had a certificate for a website and it expired, what you should do is remove the old certificate. Then also remove the identity preference type items for that website. These old items are just as much expired as the certificate is. After you remove them, any new identity preference will be stored and used correctly.
So:
Then you can browse to the website, select the new certificate from the list, this will be remembered for that specific web address. Currently we are at Safari 5.1.3 and this version will not use any wildcards for preferences, you will have to add the preference for each change in web address... Hope this helps someone, just putting it out there because I didn't find any complete answer.
Chris
Posted 2011-10-05T13:33:56.387
Reputation: 31
please refer to @apinstein answer for the correct way to do it – dwery – 2013-10-10T12:50:09.850
2Unfortunately, Safari keeps asking for each sub URL... :-/ – Tafkadasoh – 2014-09-16T09:27:39.657
removed comment. DanJs answer already explains that. – Calon – 2015-09-14T13:05:16.533
1Not that you have to update the location property. Name is not sufficient. – andy – 2018-10-01T15:16:07.030