
Several keychains can hold certificates:
ÂÂ SystemRootCertificates: This keychain holds root certificates that ship with Mac OS X. The certificates already have trust given to them.
ÂÂ System: This keychain holds certificates that the computer administrator can add. All users on a given client can read from this keychain. The trust settings of a certificate in this keychain can override those of a certificate in SystemRootCertificates.
ÂÂ Any other keychain: This holds certificates for a given user and is only accessible to that user. The trust settings of a certificate in this keychain can override those of a certificate in SystemRootCertificates or System.
Trusted certificates can be in any of these locations, but to trust a certificate, trust settings must be given explicitly to a certificate.
To configure clients to trust a certificate:
1Copy the
This is preferably distributed using nonrewritable media, such as a
2Open the Keychain Access tool by
3Drag the certificate to the System keychain using Keychain Access.
Authenticate as an administrator, if requested.
4
5In the details window, click the Trust disclosure triangle.
6From the
From the command line
After copying the certificate to the target client computer, perform the following, replacing <certificate> with the file path to the certificate:
sudo /usr/bin/security
You can use the security tool to save and restore trust settings as well. For more information on using the security
Certificate Manager in Server Admin
Mac OS X Server’s Certificate Manager is integrated into Server Admin to help you create, use, and maintain identities for
62
Chapter 4 Enhancing Security