---

I am using a digital certificate to access government sites in Denmark.
The certificate is, however, only valid for two years so then you will
have to get a new certificate.

Of course, this is what I have done. And I have placed the new
certificate in my keyring [through /Applications/Utilities/Keychain
Access].

But Safari still uses the old certificate which is now obsolete. It
doesn't even help to delete it from the keyring; it is till chosen by
Safari. And though it shows two certificates [and marks the first one as
no more valid], it still uses it - and I see no way to force it to use
the new.

I have successfully removed the obsolete certificate from FireFox and it
works as it should. But not so with Safari.

--
Per Erik Rønne
http://www.RQNNE.dk

---

On 2007-09-30, Per Rønne <per@RQNNE.invalid> wrote:
> I am using a digital certificate to access government sites in
> Denmark. The certificate is, however, only valid for two years so
> then you will have to get a new certificate.

Not to stray too far off topic, but are you talking about regular
government services for ordinary citizens? That is to day, does
Denmark issue its citizens X.509 certificates for secure
authentication to government Web sites? Because that sounds really
nifty if it is the case.

> Of course, this is what I have done. And I have placed the new
> certificate in my keyring [through
> /Applications/Utilities/Keychain Access].
>
> But Safari still uses the old certificate which is now obsolete.
> It doesn't even help to delete it from the keyring; it is till
> chosen by Safari. And though it shows two certificates [and marks
> the first one as no more valid], it still uses it - and I see no
> way to force it to use the new.

Sorry, I'm a little unclear on what you mean there. Do you keep
deleting your expired certificate from your login keychain, only to
have it reappear later? Maybe it would help to clarify this if you
could post a screenshot somewhere.

> I have successfully removed the obsolete certificate from FireFox
> and it works as it should. But not so with Safari.

This is just a wild guess, but were you given a new private key when
you were issued the new certificate? If so, did you explicitly
delete the obsolete private key from the keychain along with its
expired certificate?

--
Mark Shroyer
http://markshroyer.com/

---

Mark Shroyer <usenet-mail@markshroyer.com> wrote:

> On 2007-09-30, Per Rønne <per@RQNNE.invalid> wrote:
> > I am using a digital certificate to access government sites in
> > Denmark. The certificate is, however, only valid for two years so
> > then you will have to get a new certificate.
>
> Not to stray too far off topic, but are you talking about regular
> government services for ordinary citizens? That is to day, does
> Denmark issue its citizens X.509 certificates for secure
> authentication to government Web sites? Because that sounds really
> nifty if it is the case.

Well, each citizen can apply for a digital signature which gives secure
authentification to government web sites.

This means that you can complete your's income tax return. Look up
medical data on yourself. Register yourself to the employment service,
if you loose your job. And lots of other thing - all through the web and
using your digital signature.

> > Of course, this is what I have done. And I have placed the new
> > certificate in my keyring [through
> > /Applications/Utilities/Keychain Access].
> >
> > But Safari still uses the old certificate which is now obsolete.
> > It doesn't even help to delete it from the keyring; it is till
> > chosen by Safari. And though it shows two certificates [and marks
> > the first one as no more valid], it still uses it - and I see no
> > way to force it to use the new.
>
> Sorry, I'm a little unclear on what you mean there. Do you keep
> deleting your expired certificate from your login keychain, only to
> have it reappear later? Maybe it would help to clarify this if you
> could post a screenshot somewhere.

I cannot post a screenshot as I don't have access to binary groups.
Instead I have placed one on my homepage, at:

<http://rqnne.dk/Certificate.png>

And no, once removed from the keychain, the certificate doesn't show up
in the keychain again. It just remains in Safari.

BTW, if you look at the picture, chosing the second of the certificates
should have succeeded - it doesn't.

> > I have successfully removed the obsolete certificate from FireFox
> > and it works as it should. But not so with Safari.
>
> This is just a wild guess, but were you given a new private key when
> you were issued the new certificate? If so, did you explicitly
> delete the obsolete private key from the keychain along with its
> expired certificate?

I deleted the certificate identifying me as myself.

And, btw, on my old G4/867 QuickSilver [now with a 1.6 GHz double
processor] I tried to do it in another way. First, I removed the old,
obsolete certificate from the keyring. Then I entered the site asking
for the certificate - and now it goes as it should.

But not on my MacBook. I can only see two differences: The former is a
PPC computer, the latter an Intel one. And on the former I began by
removing the certificate from the keyring, in the latter I went the
other way.

--
Per Erik Rønne
http://www.RQNNE.dk

---

In article <1i592f1.8y7ji7csh60N%per@RQNNE.invalid>,
per@RQNNE.invalid (Per Rønne) wrote:

> But not on my MacBook. I can only see two differences: The former is
> a PPC computer, the latter an Intel one. And on the former I began by
> removing the certificate from the keyring, in the latter I went the
> other way.

Try removing both certificates, flushing the cache, and then
reinstalling the new certificate.

--
Support the troops: Bring them home ASAP.

---

Michelle Steiner <michelle@michelle.org> wrote:

> In article <1i592f1.8y7ji7csh60N%per@RQNNE.invalid>,
> per@RQNNE.invalid (Per Rønne) wrote:
>
> > But not on my MacBook. I can only see two differences: The former is
> > a PPC computer, the latter an Intel one. And on the former I began by
> > removing the certificate from the keyring, in the latter I went the
> > other way.
>
> Try removing both certificates, flushing the cache, and then
> reinstalling the new certificate.

It works now - after I deleted the first of the keys in the keyring.
Well, there were two keys only and I guessed that the topmost key was
the oldest ... and the obsolete one.
--
Per Erik Rønne
http://www.RQNNE.dk

---

In dk.edb.mac Per Ronne <per@rqnne.invalid> wrote:
> I am using a digital certificate to access government sites in Denmark.
> The certificate is, however, only valid for two years so then you will
> have to get a new certificate.

> Of course, this is what I have done. And I have placed the new
> certificate in my keyring [through /Applications/Utilities/Keychain
> Access].

> But Safari still uses the old certificate which is now obsolete. It
> doesn't even help to delete it from the keyring; it is till chosen by
> Safari. And though it shows two certificates [and marks the first one as
> no more valid], it still uses it - and I see no way to force it to use
> the new.

> I have successfully removed the obsolete certificate from FireFox and it
> works as it should. But not so with Safari.

Safari, Mail etc bruger Apples egen infrastruktur til h?ndtering af
certifikater. Dvs ?ben /Aplications/Utlilities/Keychain.app - hit din
n?glering med dit certifikat (formegenlig login.keychain) under "My
certificates". V?r lige opm?rksom p? at hvis du har krypterede mails
eller andet lign. og du sletter det gamle certifikat vil alle de emner
der er krypteret med det gamle certifikatt v?re gone for altid.

--
mvh. Morten Reippuert Knudsen

---

Morten Reippuert Knudsen <spam@reippuert.dk> wrote:

> In dk.edb.mac Per Ronne <per@rqnne.invalid> wrote:
> > I am using a digital certificate to access government sites in Denmark.
> > The certificate is, however, only valid for two years so then you will
> > have to get a new certificate.
>
> > Of course, this is what I have done. And I have placed the new
> > certificate in my keyring [through /Applications/Utilities/Keychain
> > Access].
>
> > But Safari still uses the old certificate which is now obsolete. It
> > doesn't even help to delete it from the keyring; it is till chosen by
> > Safari. And though it shows two certificates [and marks the first one as
> > no more valid], it still uses it - and I see no way to force it to use
> > the new.
>
> > I have successfully removed the obsolete certificate from FireFox and it
> > works as it should. But not so with Safari.
>
> Safari, Mail etc bruger Apples egen infrastruktur til håndtering af
> certifikater. Dvs åben /Aplications/Utlilities/Keychain.app - hit din
> nøglering med dit certifikat (formegenlig login.keychain) under "My
> certificates".

»Login-keychain« siger mig intet, men jeg er netop gået ind i det der på
dansk hedder Hovednøglering, og fjernet den gamle.

Den findes bare stadig i Safaris registreringer.

> Vær lige opmærksom på at hvis du har krypterede mails eller andet lign. og
> du sletter det gamle certifikat vil alle de emner der er krypteret med det
> gamle certifikatt være gone for altid.

Jeg er for år tilbage holdt op med at kryptere e-mails. Bruger kun
certifikater til web-adgang til visse offentlige tjenester.

De engelsksprogede grupper fjernet, da de ikke skal se på noget skrevet
på dansk ...
--
Per Erik Rønne
http://www.RQNNE.dk

---

Per Rønne <per@rqnne.invalid> wrote:

> > Safari, Mail etc bruger Apples egen infrastruktur til håndtering af
> > certifikater. Dvs åben /Aplications/Utlilities/Keychain.app - hit din
> > nøglering med dit certifikat (formegenlig login.keychain) under "My
> > certificates".

> »Login-keychain« siger mig intet, men jeg er netop gået ind i det der på
> dansk hedder Hovednøglering, og fjernet den gamle.

> Den findes bare stadig i Safaris registreringer.

Der må ligge en cookie.

> > Vær lige opmærksom på at hvis du har krypterede mails eller andet lign. og
> > du sletter det gamle certifikat vil alle de emner der er krypteret med det
> > gamle certifikatt være gone for altid.

> Jeg er for år tilbage holdt op med at kryptere e-mails. Bruger kun
> certifikater til web-adgang til visse offentlige tjenester.

ok - su skal blot være opmærksom på problematikken, du kan sagtens
have dine gamle sertifikater liggende også såfremt du undgår at de er
defineret som "dit" certifikat.

> De engelsksprogede grupper fjernet, da de ikke skal se på noget skrevet
> på dansk ...

men vi skulle se noget skrevet på engelsk? Din begrundelsee er iøvrigt
en glimrende grund til ikke at krydsposte.

--
Morten Reippuert Knudsen <http://blog.reippuert.dk>

Merlin Works CR-3/2.5 & Campagnolo Chorus 2007.

---

Morten Reippuert Knudsen <spam@reippuert.dk> wrote:

> Per Rønne <per@rqnne.invalid> wrote:

> > De engelsksprogede grupper fjernet, da de ikke skal se på noget skrevet
> > på dansk ...

> men vi skulle se noget skrevet på engelsk?

Få kan internationalt set dansk. Stort set alle deltagere på dk.edb.mac
læser engelsk.

> Din begrundelsee er iøvrigt en glimrende grund til ikke at krydsposte.

Emnet har tidligere været rejst på dansk, og jeg går ud fra at der var
interesse for hvordan det gjordes. Jeg vil kalde det et udmærket
eksempel på, hvornår krydspostning er passende.
--
Per Erik Rønne
http://www.RQNNE.dk