new Verisign Certs - unrecognized in OS X

scruffy

Notorious Olive Counter
Has anyone else encountered this problem?

Apparently, Verisign has switched to new certificate scheme, as of a few months ago.

Verisign's explanation is here: http://www.verisign.com/support/advisories/page_029264.html
(yes, it's available as an https page as well, and if you go to that same page as https, the cert checks out.)

Now, when I go to my work's remote login site using OS X
https://securelogin.gov.ab.ca
I get a certificate error (I get no error with Windows). I'm pretty technical, and I can't even figure out how to get a copy of this new Verisign certificate, signed with a key that I already do trust, to import it into my X509Anchors keychain...

So my questions three:
- Can someone else using a fully up-to-date OS X check whether they get this error?
- Can someone else using a fully up-to-date OS other than Windows check for this error?
- Has anyone encountered this same warning about the Verisign Class 3 Server Certificate elsewhere on the web?

I see two possibilities
- Verisign just didn't bother to get anyone but Microsoft to include their new certificates - they just don't care about the rest of the world.
- If the site in question distributed a full certificate chain, then it could get back to something Macs trust, but they just haven't configured it to do so, because it was only tested from Windows.
 
I just tried the website you linked to and my version(latest) of Safari doesn't give any error. The lock appears in the top right of the window indicating a secure connection.
 
Very interesting - there's nothing in Software Update for me, and I still get the error in both Camino and Safari...

Capt. Code, I see you're using a PPC machine. Cybergoober, do you use an Intel or PPC machine? I wonder if there might be some certs missing from Intel updates that made it into PPC ones. Doesn't seem likely, but who know...

And, what Verisign certs are in your X509Anchors keychain?
For me, the command

certtool y k=/System/Library/Keychains/X509Anchors | grep VeriSign | grep Common

gives me this output

Common Name : VeriSign Class 1 Public Primary Certification Authority - G3
Common Name : VeriSign Class 1 Public Primary Certification Authority - G3
Common Name : VeriSign Class 2 Public Primary Certification Authority - G3
Common Name : VeriSign Class 2 Public Primary Certification Authority - G3
Common Name : VeriSign Class 3 Public Primary Certification Authority - G3
Common Name : VeriSign Class 3 Public Primary Certification Authority - G3
Common Name : VeriSign Class 4 Public Primary Certification Authority - G3
Common Name : VeriSign Class 4 Public Primary Certification Authority - G3
 
Here's what I get

Common Name : VeriSign Class 1 Public Primary Certification Authority - G3
Common Name : VeriSign Class 1 Public Primary Certification Authority - G3
Common Name : VeriSign Class 2 Public Primary Certification Authority - G3
Common Name : VeriSign Class 2 Public Primary Certification Authority - G3
Common Name : VeriSign Class 3 Public Primary Certification Authority - G3
Common Name : VeriSign Class 3 Public Primary Certification Authority - G3
Common Name : VeriSign Class 4 Public Primary Certification Authority - G3
Common Name : VeriSign Class 4 Public Primary Certification Authority - G3
 
Huh, curiouser and curiouser - don't see any difference from what I have.

If I could try your patience just a bit more, would you mind trying:

openssl s_client -connect securelogin.gov.ab.ca:443 -showcerts

And either posting, or PMing me (it is rather verbose), the output?

Thanks
Mark
 
I just tried the site again and now I'm getting a certificate error saying it was issued by an unknown certificate authority but I can still continue.
 
Thanks for checking that for me, captain. I mentioned this to the site maintainers, so they're now aware of the problem.

And it's good to know I haven't just reported to them something that's actually a misconfiguration with my computer...
 
Back
Top