What Is SystemCACertificates.keychain and How To Use It

Did you know that you can make your Macintosh trust most DoD Military CAC Cards easily? Many Government Employees, Uniform Military Personnel and Federal Contractors are probably completely unaware of this neat little Macintosh feature that instantly does away with the headaches and frustrations that often come when provisioning a Macintosh for CAC card access.

Surely you’ve asked yourself that question, “Do I have the right ‘root’ and issuing certificates?” or have spent countless hours getting your Mac properly configured only to receive the “Sorry, client not trusted error” Safari error, when logging into your Exchange OWA Web Mail.

Background

A little background first.  To use a certificate on smart card – for example, logging into a protected web site, or signing an important e-mail – the certificate on the smart card must be trusted by your Macintosh.

Mac validates a certificate by using a certificate trust chain.  Think “hierarchy”.  Each certificate works in conjunction with each other (they are related).  The only self signed or “stand alone” certificate in the chain is the root.  All the other certificates in the chain of trust rely on one another, and without one, all the intermediate certificates and most importantly the smart card certificate, become “untrusted”.

A simple example.  An arrow means one cert is used to sign another.

Your Smart Card Certificate <- Intermediate Certificate <- Root Certificate

  • Intermediate Certificate is used to sign Your Certificate.  Therefore, Intermediate Certificate trusts Your Certificate.
  • Root Certificate is used to sign Your Certificate.  Therefore, Root Certificate trusts Intermediate Certificate.

In the example above, if the Mac has both the Intermediate Certificate and Root Certificate in the Keychain database, it would trust your Smart Card Certificate because of the chain of trust.

In some cases, Keychain database already has the intermediate and root certificates you need.  You can start using smart card by simply inserting it to Mac.

In other cases, Keychain, by default, does not have enough certificates.  CACs with certificates issued by one of DoD CAs, numbered between 27 and 32 (ex, DOD EMAIL CA-32), are such examples, according to this excellent article [1].

What is SystemCACertificates.keychain?

This is when the aforementioned SystemCACertificates.keychain file comes into picture.

This file includes all the necessary trust chains for DoD CACs and other cards.  To use it, you need to open it and import it to Keychain database.

How To Use It?

If you are familiar with Terminal and command line, open Terminal and type:

  1. cd /System/Library/Keychains/
  2. open SystemCACertificates.keychain

If you’re not comfortable with the Terminal, do the following:

  1. In Finder, select the “Go” menu and the menu item, “Go to Folder (Command-Shift-G)
  2. Type in the following: “/System/Library/Keychains/”
  3. Double-click the file “SystemCACertificates.keychain” and it will automagically import itself into your active Keychain.  (It will open up Keychain Access utility.)

Sometimes, this file is hidden and you may not be able to see it in Finder.  If this is the case, use the Terminal option above.

If the file is successfully imported, Keychay Access should look like this:

SystemCA.png

Observe all the DoD certificates.  Now you can take advantage of these certificates.

Hopefully you can see that your Mac will now trust your CAC – that is, if it is signed by the certificates included in this file.

That’s it… Good luck, and hopefully this little knowledge will save you some much deserved time.

Keep in mind, if you are having problems reading your smart card, that is a separate problem entirely.  Our free Centrify Express for Smart Card product might help you.  This includes all the necessary Mac drivers for many different smart card types.  You can download the software here.

[1] Adding DoD certificates to your Mac, Timothy Solberg and Michael J. Danberry, http://militarycac.com/files/macdodcerts.pdf