Avian’s Blog

I've fixed my problem with Mail.app today.

The problem was that when Mail said The certificate for this server has expired it actually wanted to say The root CA certificate that signed the certificate for this server expired. Another fine example of misleading error messages.

The fact that the keychain that holds root CA certificates isn't accessible by default on Mac OS X just further complicated things. You can only add certificates to it by selecting a mysterious X509 Anchors keychain on the Add Certificate dialog but there is no obvious (or documented as far as I know) way of deleting them. It took quite a lot of experimenting (for example with the quite limited security command line tool that claims to be able to do just about anything the Security framework is capable). In the end, I found out that you can access the X509 Anchors keychain by simply opening the Keychain application, choosing Add Keychain... from the menu and selecting /System/Library/Keychains/X509Anchors.