Archive

Archive for March 24, 2011

Setting OCSP and CRL certificate settings in Keychain Access

March 24, 2011 1 comment

To help secure Safari against certificate hijacking, you can set your OCSP and CRL settings in Keychain Access, so that Safari can correctly identify certificates as being revoked and therefore untrusted.

You can set this in Keychain Access this way:

1. Open /Applications/Utilities/Keychain Access

2. Go into the Keychain Access menu and select Preferences…

3. In the Preferences window, click on the Certificates tab.

4. Set the first two options, for OCSP: and CRL: , to Best Attempt. It should be OK to leave Priority: set to the default setting.

You can also set these settings from the command line. You’ll need to run these commands on a per-user basis, as Keychain is looking to the ~/Library/Preferences/com.apple.security.revocation.plist file for these settings.

To set the CRL settings:

defaults write com.apple.security.revocation CRLStyle -string BestAttempt

To set the OCSP settings:

defaults write com.apple.security.revocation OCSPStyle -string BestAttempt

%d bloggers like this: