OS X Yosemite: Certificate trust policies

This article has been archived and is no longer updated by Apple.
Certificate trust policies

Certificates are widely used to secure electronic information. For example, a certificate might allow you to sign email, encrypt a document, connect to a secure network, or identify yourself when using Messages. Each type of use is governed by a trust policy, which determines whether a certificate is valid for that use. A certificate may be valid for some uses but not for others.

OS X uses a number of trust policies to determine whether a certificate is trusted. You can choose a different policy for each certificate, providing a greater amount of control over how certificates are evaluated.

TRUST POLICY
DESCRIPTION

Use System Defaults or no value specified

Use the default setting for the certificate.

Always Trust

You trust the author and want to always allow access to the server or app.

Never Trust

You don’t trust the author and don’t want to allow access to the server or app.

Secure Sockets Layer (SSL)

The name in a server’s certificate must match its DNS host name to successfully establish a connection. The host name check is not performed for SSL client certificates. If there is an extended key usage field, it must contain an appropriate value.

Secure Mail (S/MIME)

Email uses S/MIME to security sign and encrypt messages. The user’s email address must be listed in the certificate, and key usage fields must be included.

Extensible Authentication Protocol (EAP)

When you connect to a network that requires 802.1X authentication, the name in the server’s certificate must match its DNS host name. Host names for client certificates are not checked. If an extended key usage field is present, it must contain an appropriate value.

IP Security (IPSec)

When certificates are used to secure IP communications (for example, in establishing a VPN connection), the name in the server’s certificate must match its DNS host name. Host names for client certificates are not checked. If an extended key usage field is present, it must contain an appropriate value.

Messages Security

Certificates for messages must contain key usage settings.

Kerberos Client

This policy determines whether the certificate can be used to identify a user to a Kerberos server.

Kerberos Server

This policy determines whether a Kerberos server can use the certificate to identify itself to the system.

Code Signing

The certificate must contain key usage settings that explicitly permit it to sign code.

Published Date: Sep 14, 2017
Helpful?