About Identities
Identities are a certificate and a private key, together. The certificate identifies the user, and the private key corresponds to the certificate. A single user can have several identities; for any given user each certificate could have a different name, email address, or issuer.
These identities are used for different security contexts. For example, one could be used to sign others’ certificates, and one could be used to identify the user by email, and these do not need to be the same identity.
In the context of the Mac OS X Server Certificate Manager, identities include a signed certificate and both keys of a PKI key pair. The identities are used by the system keychain and are available for use by various services that support SSL.
About Self-Signed Certificates
About Intermediate Trust
If you are your own CA, and your certificates are not trusted by the default shipping root certificates in Mac OS X, your clients can still be configured to trust your certificates through an intermediate trust.
Trust is the ability of a client to believe the identity of a server when it connects.
A trusted server is a known server that the client can transact with securely, without interference from outside and unknown parties.
Mac OS X clients follow x.509 trust validation when accepting certificates, meaning they follow the chain of certificate signers back until they find a trusted root certificate.
Mac OS X lets you specify a trusted anchor (in other words, a certificate that is not a root CA certificate, but that you trust). A client can trust a certificate closer in the chain of trust, or even just the submitted certificate itself. Trusting a certificate that isn’t a shipping root anchor is intermediate trust.
To accomplish this, trust needs to be bestowed on certificates instead of to keychains (as was done previously). In v10.4, trust was given to certificates in the keychain called “X509Anchors.” The X509Anchors keychain was deprecated starting with Mac OS X v10.5.
Chapter 4 Enhancing Security
61
