In this advanced article, learn how Keychain Access can be configured to search directory service nodes for published certificates in Mac OS X v10.6 and later. If your organization uses digital certificates for email signing or encryption, and publishes user certificates to a directory repository such as Active Directory or Open Directory, you can use this feature for automatic lookups of email recipient certificates.
Note: This feature requires:
- 
	
- Your Mac must already be configured to use a directory service such as Open Directory. 
	
- You must have the CA signing certificate trusted in either your login keychain or the System keychain. 
	
- You must have a valid user certificate with proper key usage attributes for message signing and message encryption. 

Follow these steps to configure Keychain Access to search directory service nodes:
- 
	
- Open Keychain Access (located in /Applications/Utilities). 
	
- Choose Preferences from the Keychain Access menu. 
	
- In the General tab, enable "Search Directory Services For Certificates."

	

	


Learn more
You can verify that a configured directory services node is being consulted for certificates in a variety of ways, including these:|
- 
	
- You can open Keychain Access and search on the email address of an intended recipient.

	

	OR 

- 
	
- You can open Mail and address a new message to a recipient in your organization who meets these criteria:
	
- 
		
- The recipient has a digital certificate issued to them 
		
- The recipient's certificate(s) are published in your organization's directory service 
		
- The recipient's certificate(s) are not already installed in your keychain 
		
- In the message composition window, if the lock icon is available (not "grayed out"), the directory service is properly being queried. Click the lock icon to encrypt the message.

		

	

	 - OR

	 
	 - Open Terminal and execute this command:
	

security find-certificate -e "(recipient-email-address)"