Home > Mac administration, Mac OS X > Setting OCSP and CRL certificate settings in Keychain Access

Setting OCSP and CRL certificate settings in Keychain Access

To help secure Safari against certificate hijacking, you can set your OCSP and CRL settings in Keychain Access, so that Safari can correctly identify certificates as being revoked and therefore untrusted.

You can set this in Keychain Access this way:

1. Open /Applications/Utilities/Keychain Access

2. Go into the Keychain Access menu and select Preferences…

3. In the Preferences window, click on the Certificates tab.

4. Set the first two options, for OCSP: and CRL: , to Best Attempt. It should be OK to leave Priority: set to the default setting.

You can also set these settings from the command line. You’ll need to run these commands on a per-user basis, as Keychain is looking to the ~/Library/Preferences/com.apple.security.revocation.plist file for these settings.

To set the CRL settings:

defaults write com.apple.security.revocation CRLStyle -string BestAttempt

To set the OCSP settings:

defaults write com.apple.security.revocation OCSPStyle -string BestAttempt

  1. May 19, 2012 at 10:24 am

    Thank you

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: