Hawk Wings » Blog Archive » Self-signed SSL certificates in Apple Mail

Self-signed SSL certificates in Apple Mail

SSL_Cert My work has just set up external access to its IMAP server, so that I can work as easily from home as the office. Excellent.

The external access is secured with a self-signed SSL certificate. Unless you import the certificate into your Keychain you get endless annoying error messages. And importing it wasn’t as easy as you might expect.

In the end, I offered to write up a walk-through for other Mac users in the College, and I’m posting it here too. It’s all documented in Apple Mail‘s help file under “I’m getting a certificate-related error message” but visual learners will appreciate the pictures.

How to accept a self-signed SSL certificate in Mail.app permanently (with screenshots) after the jump.

When you try to connect to an IMAP server that uses a self-signed SSL certificate for the first time in Apple Mail, you will get the following alert message:

Don’t click “Continue”. Click on the “Show Certificate” button. You will see the following dialog box:

Click on the picture of the certificate and drag it to your Desktop.

Double click on the file ending with the extension “cer” on your Desktop. An application called Keychain Access will then open and you will see the following dialog box:

Click on the Keychain drop-down menu and the following options will appear:

Select “X509Anchors” and then “OK”. You will be asked to type in the Administrator password for your Mac. Do that, then you’re done! The certificate is now permanently stored in your Keychain.

You can then return to the very first “Unable to Connect” dialog box and click on “Continue”.

You will now be able to access the IMAP server without constant error messages.

22 Responses to “Self-signed SSL certificates in Apple Mail”

David Dunham says:
October 29th, 2005 at 1:14 am
I don’t think the option-drag is required; I did this with a regular drag. Still a handy tip, since I didn’t know that was how to get the .cer file (I’d had postmasters e-mail it to me in the past).
Tim says:
October 29th, 2005 at 1:39 am
Thanks. You’re right! The Apple Mail help file, which I blindly followed, says that you need to Option-Click, but it’s wrong.
Hawk Wings » Blog Archive » Apple Mail Rules and IMAP folders says:
October 29th, 2005 at 3:54 pm
[...] Over the past few days, I have been reorganising my rules in Mail.app to match some new server arrangements and as part of grappling with Getting Things Done. [...]
Darkside says:
October 31st, 2005 at 4:10 am
I have never gotten this to work with my accounts. I’ve imported the crt files into the X509Anchors, but mail still keeps prompting me.

Two of the problem certs are from web hosts using cPanel; has anyone else had this issue?
Bernhard says:
November 8th, 2005 at 6:23 pm
Darkside: I’m having the same problem, Mail keeps showing an “Unable to verify SSL server” dialog, although I tried to import the server certificate into keychain acces all ways I could think of. The only difference I can find between this and the other certificates in X509Anchors is that this one has a blue border, while the others are orange, but I guess this is not related to the actual problem.
Anna says:
November 16th, 2005 at 9:36 am
Darkside: I have this issue with my work SSL server. I have imported the crts into my X509Anchors, but I still can’t connect. In fact, Mail keeps referring to the old expired cert. Cannot figure this one out…
Tim says:
November 16th, 2005 at 6:50 pm
That’s odd. I had to do this procedure again today on another Mac of mine and it worked perfectly.

I wonder what the root of your various problems is.
Dennis says:
November 18th, 2005 at 1:35 am
Darkside,

I have the exact same issue. My site is also hosted thru a cPanel-type administration with a shared SSL certificate off of their server. I’ve tried just about everything to get this working but no luck so far…I’ll post something if Google is at all helpful :)

–den
John says:
December 22nd, 2005 at 6:10 am
I am having the same issue. I finally gave up on mail.app, but I’d like to go back. If anyone comes up with anything, I’ll keep checking back.
Tim says:
December 22nd, 2005 at 10:40 am
I guess that you have all tried the old stand-by – deleting all the certificates out of your keychain and trying again.

From all the comments, though, it does sound like it is something cPanel-specific.

This cPanel FAQ answer “How do I setup my mail to use SSL?” is not very helpful:

Set your mail server to the host name for SMTP/POP3/IMAP (instead of mail.domain.com) and then make sure that your mail client is using the following ports for SSL:

SMTP – 465
POP3 – 995
IMAP – 993

As always you want to make sure that your account name is user@domain.com (or user+domain.com) and that you are using authentication on your SMTP server.
John says:
December 22nd, 2005 at 11:13 am
I have tried deleting and starting over more times than I care to admit to. I even tried it again after completely reinstalling OSX (for another reason). No luck. I’m stuck in Mozilla Thunderbird (it’s just not as pretty though).
Tim says:
December 22nd, 2005 at 12:22 pm
Well, that sucks :(

I don’t have the technical smarts to know how to fix it, I’m afraid.
Stephanie says:
January 12th, 2006 at 2:42 pm
I’m also having this problem. No matter what I do, the error continues to pop up. :(
Dan_ce says:
January 13th, 2006 at 5:41 am
Hey up birdies. Mine does this (Cpanel website), the difference is my cert is expired. How about that?
Stephanie's mail host sysadmin says:
January 15th, 2006 at 5:46 pm
Stephanie’s problem turned out to be that the Common Name in the certificate did not match the POP/IMAP hostname she was using to access the server. The names must match exactly; if the Common Name is example.org, then you can’t be using mail.example.org as the POP host, or vice-versa.
Televisionmind » Blog Archive » Self-Signed SSL Certificates in Apple Mail says:
October 5th, 2006 at 7:25 am
[...] (see stephanie’s comment in this post) Published in: Whatever | on October 3rd, 2006 | [...]
John says:
October 19th, 2006 at 6:54 am
For those of you experiencing these problems in Panther, the same solution applies – only you place the certificate in the System.keychain, as Panther does not have the X509 Anchors keychain.

Follow the directions as described above to obtain the certificate -

Make a copy of the System.keychain (option-drag to copy) located in

/Library/Keychains

to

/Users/[username]/Library Keychains

Rename that file System2.keychain (or whatever you like) -

Then double-click on the certificate and add it to the keychain you just duplicated.

Once that’s done, rename the keychain back to System.keychain – then copy it back to the

/Library/Keychains

folder – authorization will be required.

It worked for me :) Mail stopped pestering me about accepting the gmail certificate and I was able to again access my gmail via POP.

And now some keywords for people searching for a solution to this problem:

gmail broken panther accept certificate mail.app

It took me a VERY long time to figure out this solution, and hopefully it’ll save someone else the headaches :)
Nate says:
January 3rd, 2007 at 7:45 am
Thanks for the great tip! My webhost (and mail) uses SSL POP and I had a similar issue with the “Certificate is not signed by a valid authority” error. This solution worked great for this annoyance also!
Matt Weber says:
January 27th, 2007 at 9:54 am
Changing the incomming mail server to the common name of the cert stops Mail.app from prompting you to accept the certificate every time you check your mail.
Quinn Comendant says:
February 23rd, 2007 at 6:45 pm
It is also important that the security certificate used matches the hostname set in Apple Mail. For example, if my mail server has a certificate that was generated with the Common Name set to mail.mydomain.com then I must also configure Apple Mail to connect to mail.mydomain.com (as opposed to mail.anotherdomain.com, even if the two domains resolve to the same IP address).
sinnerman says:
March 2nd, 2007 at 1:55 pm
How about this…
I click on the icon of the cert in order to drag it to the desktop and it locks up Mail.app. I have to force quit it each time. This happens whether I click or Option-click.

It kinda creates a shadow picture like it’s going to drag to the desktop and then it stops and, done! locked for good.

Now what are my options?
TIA

By the way: OSX – 10.3.9
LeMasterSystems says:
November 13th, 2007 at 9:09 am
I was having the same problem that was described above. I am using Cpanel SSL POP3. After following the directions above, I found that the certificate was now valid (note that I had to add two certificates, one for the incoming and one for the outgoing server).

However, Apple Mail continued to pop up asking me if I wanted to connect to this potentially dangerous server. It turns out that if the domain listed in the certificate does not exactly match the “mail.xxx.com” that you have listed in your incoming mail server preferences, mail will automatically present that dialog regardless of whether or not the certificate is valid (there are good security reasons for the behavior).

I found that changing your incoming and outgoing server to the domain listed in the certificate solves that problem and there are no more popups.
Change your “mail.xxx.com” to what you see on the certificate. Your username: “email+domain_name.com” along with your password will (at least in my case) be sufficient to identify you to the POP server.

Hope that works for you, it did for me!

Self-signed SSL certificates in Apple Mail

Similar Posts:

22 Responses to “Self-signed SSL certificates in Apple Mail”

Leave a Reply