This goes along with my email last week about 802.1x profiles and getting
certificates imported. While my testing was successful on 10.6 machines,
I'm having troubles with my 10.5 machines.

We are using an Windows 2003 server (Domain Controller) as our RADIUS
server. If I export the certificate from that server and then try to import
into a 10.5 machine using security, I get an error:

SecTrustSettingsSetTrustSettings: unknown error -50=ffffffce

I was able to import a different cert from a Mac OS X server with no
problems, so I'm fairly certain the error lies in the way Windows exports
the cert. I've also tried getting the cert by connecting to the wireless
network and agreeing to install the cert that way, then export the cert. I
get the same, or similar error: unknown error.

I've been able to get around this by using certtool in 10.5 instead of
security:

certtool i certname.pem k=/Library/Keychains/System.keychain

Problem is, the certificate comes in as untrusted. I know that I could
probably go purchase a certificate for this AD server from a known trusted
root, like Thawte or Verisign, but we are going to be re-doing our AD early
next year, and I really do not want to purchase a cert for that server.

Anyone know how I can get this to import as a trusted cert? Either
importing the root cert from that server as trusted (which I've tried with
no luck), or just importing into the System.keychain as trusted?

Thanks!

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475