OS X Mountain Lion: Certificate trust policies
Certificates are widely used to secure electronic information. For example, a certificate might allow you to sign email, encrypt a document, connect to a secure network, or identify yourself on Messages. Each type of use is governed by a trust policy, which determines whether a certificate is valid for that use. A certificate may be valid for some uses but not for others.
OS X uses a number of trust policies to determine whether a certificate is trusted. You can choose a different policy for each certificate, providing a greater amount of control over how certificates are evaluated.
| TRUST POLICY | EXPLANATION |
|---|---|
| Use System Defaults or no value specified |
Use the default setting for the certificate. |
| Always Trust |
You trust the author and want to always allow access to the server or app. |
| Never Trust |
You don’t trust the author and don’t want to allow access to the server or app. |
| Secure Sockets Layer (SSL) |
The name in a server’s certificate must match its DNS host name to successfully establish a connection. The host name check is not performed for SSL client certificates. If there is an extended key usage field, it must contain an appropriate value. |
| Secure Mail (S/MIME) |
When signing or encrypting an email message, the user’s email address must be listed in the certificate and key usage fields must be included. |
| Extensible Authentication Protocol (EAP) |
When connecting to a network that requires 802.1X authentication, the name in the server’s certificate must match its DNS host name. The host name check is not performed for client certificates. If an extended key usage field is present, it must contain an appropriate value. |
| IP Security (IPsec) |
When certificates are used to secure IP communications (for example, in establishing a VPN connection), the name in the server’s certificate must match its DNS host name. The host name check is not performed for client certificates. If an extended key usage field is present, it must contain an appropriate value. |
| Messages Security |
The certificate must contain key usage settings that allow it to be used for Messages. |
| Kerberos Client |
This policy determines whether the certificate can be used to identify a user to a Kerberos server. |
| Kerberos Server |
This policy determines whether a Kerberos server can use the certificate to identify itself to the system. |
| Code Signing |
The certificate must contain key usage settings that explicitly permit it to sign code. |