MacOS – Why when I increase SSL certificate security on the mac am I unable to use the app store (preflight error)

keychainmacosSecurityssl

Given the recent OSX issues with certificates and SSL, I want to increase the security of the certificate validation in general.

I came across a setting in the keychain that has a selection between best attempt and require if certificate indicates. The selection of always validate is greyed out.

enter image description here

When I do this, I get an error when using the app store "Unable to verify the preflight file". reverting to "best effort" seems to fix the issue.

How can I increase the security of my SSL / PKI certificate validation without breaking functionality of other apps?

Best Answer

This is a known bug in the App Store. Apple needs to fix it.

The only problem with forcing a check of revoked certificates is that Apple has a flaw in how it validates Mac App Store updates. With the option selected as shown in the figure below, you may be unable to perform updates through the App Store program. To fix that, launch Keychain Access, change the preferences to Best Attempt, update your apps, and then reset to the stricter setting. This is something Apple should clearly fix, since all the components of this situation are under its control.

http://www.macworld.com/article/1162472/keep_your_mac_safe_from_web_security_flaws.html

Related Solutions

MacOS – How to get com.apple.servermgrd to use a non-self-signed SSL certificate

Apple KB article HT3930 explains how to configure SSL for servermgrd, the Server Admin web interface.

It applies to Mac OS X Server 10.6 so until Apple updates this article part of the steps are confusing / obsolete.

Luckily, on Mountain Lion Server (10.8) servermgrd's certificate is stored in the same location as on Mac OS X Server Snow Leopard: in the System keychain of Aplications>Utilities>Keychain Access.

Here is what is needed on Mountain Lion (taken from the article)

While logged into the OS X where Server is set up to run services, open Keychain Access.

Select the System keychain.

Double click the com.apple.servermgrd identity preference (credit: picture borrowed from here):

Select your valid SSL certificate. You will have to import your SSL certificate first as explained in KB article PH7297.

Authenticate as an administrator if prompted.

As root, restart servermgrd for the changes in Keychain Access to take effect with this Terminal command: sudo killall servermgrd (authenticate with your administrator password if prompted).

MacOS – Connection error when remotely managing 10.9 OS X Server (SSL Handshake)

Ok, so after two weeks of not using this feature I tried again and it has now worked (not sure why). The log file says:

Jan 3 09:13:14 server.XXX.private collabd[329]: [CSUserSessionServiceBase.m:48 4398000 +0ms] Detected Magic Superuser Auth Token –

Best Answer

Related Solutions

MacOS – How to get com.apple.servermgrd to use a non-self-signed SSL certificate

MacOS – Connection error when remotely managing 10.9 OS X Server (SSL Handshake)

Related Question