Archived - Safari, Mac OS X 10.5.3: Changes in client certificate authentication
Safari 3's handling of client certificate authentication changes in Mac OS X 10.5.3 and later.
This improves the security and reliability of client certificate-authenticated connections to servers.
- Mac OS X 10.5.2 and earlier behavior: Safari 3 automatically sends the first available client certificate in your keychain to the website.
- Mac OS X 10.5.3 and later behavior: No client certificate is sent until you have the opportunity to select the appropriate one to use for that site. You will be prompted by Safari 3 to select a client certificate at the point where the server requests client authentication. After selecting a client certificate, the decision is remembered in your keychain as an "identity preference item", and you will not be prompted again when returning to the same site.
Note: Safari may not prompt you to select a client certificate if a server is configured to optionally accept (rather than require) client authentication. In this case you can force a particular client certificate to be sent by creating an identity preference item for that server.
To manually specify a client certificate be used for a particular website:
- Open Keychain Access (in Applications/Utilities) and find your client certificate. Click the "My Certificates" category to easily see available client certificates.
- Control-click the certificate, then choose "New Identity Preference..." from the contextual menu.
- A sheet appears in the dialog. Type (or paste) the URL of the page that requires the certificate, exactly as it appears in Safari's location field (for example, "https://www.apache-ssl.org/cgi/cert-export").
Note: With Mac OS X 10.5.4 or later, you may specify a partial URL to match any page on a server (for example, "https://www.apache-ssl.org/").
- Choose the certificate from the pop-up menu, then click Add to create the identity preference. (You may need to click the "All Items" category to view the newly created item.)
To change your decision about which client certificate to use for a particular website:
- Open Keychain Access (in Applications/Utilities) and find the identity preference item for the website in question. Tip: Click the "All Items" category and enter the website name in the search field in the upper right corner.
- Open the item and select a different certificate from the pop-up menu.
As an alternative to step 2, you can delete the identity preference item from the keychain. The next time you visit the site with Safari 3 you will be prompted to select your client certificate.
Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.