[Mac_crypto] ssl... where does the keychain/cert go for mail?

Ken McLeod mac_crypto@vmeng.com
Wed, 24 Mar 2004 12:51:00 -0800

On Mar 24, 2004, at 7:24 AM, R. A. Hettinga wrote:

> From: Gary Robinson <grobinson@transpose.com>
> First question:
> Apple's security_ssl.html  document, which is about installing SSL in 
> 10.3
> Server says that the keychain for the cert goes into
> /Users/root/Library/Keychains. However, my system, which is a fresh 
> install
> of 10.3 Server, has no /Users/root directory.
> Whereas, the Mac OS X Server book says it goes in
> var/root/Library/Keychains. And so does the Apple doc for 10.2 (artnum
> 75335). And my system does indeed have a /var/root/ directory.
> So, in 10.3, where does it really and truly go? Is this another error 
> in
> security_ssl.html?

Looks that way. The correct home directory path for root is /var/root 
(technically, it's /private/var/root once you resolve the symlink.)

When a particular process is running and needs to look up an item in a 
keychain, the home directory for that process's UID is used, as 
     1. If ~/Library/Preferences/com.apple.security.plist exists, the 
list of keychains it contains is searched.
     2. If ~/Library/Preferences/com.apple.security.plist does NOT exist 
(it's an optional file), then ~/Library/Keychains/login.keychain is 

This means that if a process is running as root and does a keychain 
operation, it will be looking for the keychain in root's home 
directory. Specifically, it will look in 
/private/var/root/Library/Keychains/login.keychain, unless other 
keychains have been explicitly specified in 
/private/var/root/Library/Preferences/com.apple.security.plist. Note 
that you normally won't have either file (or even a Keychains 
directory) in root's home directory unless you log in as root (which 
automatically creates the login keychain) or you create the keychain 

Now here's the interesting part: the directions for creating a "certkc" 
keychain using certtool will actually work IF you run certttool as 
root, AND add a trailing 'c' option (which is the correct syntax for 
creating the keychain as well as the cert), AND go through all the 
prompts to create a key pair and certificate at the same time! This 
adds the keychain "certkc" to the list of keychains that UID=0 will 
search (by adding it to the 
~/Library/Preferences/com.apple.security.plist file for the root 

An easier way to create a keychain (from the command line) is to use 
the 'security' tool, rather than the more specialized 'certtool'.

I'll try to find out more about where the 
http://developer.apple.com/server/security_ssl.html document comes 
from, and get the errors corrected.