Strange certificate in Keychain Access

  • Avatar

    Posted: 17 August 2012 05:31 AM

    I was hunting in my keychains for the UID+PWD combo to a site when the search turned up something very odd. It was a certificate that seemed to give some Hungarian individual or machine root authority. Can someone tell me what this is?

    If it helps, I’m on a MBP running OS X 10.5.8. Yes, I am a Luddite. I’ll get everything up to par by year’s end—I hope.

         
  • Posted: 18 August 2012 11:35 AM #1

    Using Google it would appear that is a Hungarian based entity that, like a number of others, issues certificates and which the major vendors include in their list of “trusted” certificate authority issuers. 

    A brief search finds that both Apple and Microsoft list that authority as by default “trusted” in their certificate authority list.

    My rough understand is that the list tells the browser who can “sign” a certificate by allowing the certificate that XYZ website uses to be verified by reference back to that authority.  If you are on a secure website the browsers will allow you to get the details.

    So if a website got a certificate from NetLock in Hungary and you request a “secure” connection (https://) Safari will check the certificate’s signature using NetLock’s public key to verify the certificate was issued by NetLock (and thus NetLock “vouches” for it).  Apple has decided that it’s “OK” to trust NetLock (and a whole bunch of others) and so Safari will not complain about the certificate so long as it can verify the certificate is one that NetLock has issued using that key.

    If the site sends up a certificate issued by an authority not in that list, Safari will issue a warning to you and ask if you want to accept the certificate anyway.  Similarly, if the certificate is invalid (either doesn’t verify using the key or has expired), Safari will similarly ask you if you really want to accept this anyway.

         
  • Avatar

    Posted: 18 August 2012 05:29 PM #2

    Wow! Thank you, EdZ! That’s a really great answer and I am impressed with the research. I was concerned that I might have picked up something that shouldn’t be. This answer gives me peace of mind.

         
  • Avatar

    Posted: 20 August 2012 12:56 PM #3

    Great stuff. THanks for posting the question, MacTad, and thanks very much to you, EdZ, for providing the answer. You rock. smile

    Signature

    -Dave Hamilton / The Mac Observer / Mac Geek Gab / Dave on Twitter
    When you find a big kettle of crazy, it’s best not to stir it.