Mac OS X: Using Keychain Access to search directory services for certificates

Learn about using Keychain Access to search directory services for certificates.

In this advanced article, learn how Keychain Access can be configured to search directory service nodes for published certificates in Mac OS X v10.6 and later.  If your organization uses digital certificates for email signing or encryption, and publishes user certificates to a directory repository such as Active Directory or Open Directory, you can use this feature for automatic lookups of email recipient certificates.

Note: This feature requires:

  • Your Mac must already be configured to use a directory service such as Open Directory.
  • You must have the CA signing certificate trusted in either your login keychain or the System keychain.
  • You must have a valid user certificate with proper key usage attributes for message signing and message encryption.

Follow these steps to configure Keychain Access to search directory service nodes:

  1. Open Keychain Access (located in /Applications/Utilities).
  2. Choose Preferences from the Keychain Access menu.
  3. In the General tab, enable "Search Directory Services For Certificates."

Learn more

You can verify that a configured directory services node is being consulted for certificates in a variety of ways, including these:|

  • You can open Keychain Access and search on the email address of an intended recipient.

    OR
  • You can open Mail and address a new message to a recipient in your organization who meets these criteria:
    • The recipient has a digital certificate issued to them
    • The recipient's certificate(s) are published in your organization's directory service
    • The recipient's certificate(s) are not already installed in your keychain
    • In the message composition window, if the lock icon is available (not "grayed out"), the directory service is properly being queried. Click the lock icon to encrypt the message.

  • OR
     
  • Open Terminal and execute this command:
    security find-certificate -e "(recipient-email-address)"
Last Modified: