为了能使Safari自动地废止被废弃的认证,需要在用户的Keychain中设置OCSP和CRL打开:
Keychain Access程序中的Preferences, Certificates标签中,使用OCSP: 和CRL: 并设置为Best Attempt ,而优先级使用默认即可。
或者使用命令行:
To set the CRL settings:
defaults write com.apple.security.revocation CRLStyle -string BestAttempt
To set the OCSP settings:
defaults write com.apple.security.revocation OCSPStyle -string BestAttempt
其它的设置看这里的plist文件
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CRLStyle</key> <string>BestAttempt</string> <key>CRLSufficientPerCert</key> <true/> <key>OCSPStyle</key> <string>BestAttempt</string> <key>OCSPSufficientPerCert</key> <true/> <key>RevocationFirst</key> <string>OCSP</string> </dict> </plist>
