Home > Live Communication Server > Mac Messenger\Live Communication Server certificate error (Digital certificate file is not valid)

Mac Messenger\Live Communication Server certificate error (Digital certificate file is not valid)

We recently changed our Live Communication Server certificate from an externally provided CA (IPSCA) and began using a internally provided certificate from our internal PKI.  We wanted to utilize Subject Alternate Names, without the cost of public Certificate Authorities.  All Messenger and Office Communicator clients honored the new cert, except MACs.  The problem is the fact that our internal trusted root CA is not in the X509Anchor trusted list.  This is different than the "System" trusted list.  By default, VeriSign and IPSCA are, as well as dozens more.


We were able to resolve the issue by adding the root cert to the local client.  Below are the steps we followed……..


LCS 2005 & Messenger for the Mac on Leopard

One of the changes with OS X 10.5 Leopard is the lack of the X509Anchors keychain being installed by default. The problem this creates is that a lot of Microsoft applications for the Mac depend on this keychain for their certificate authentication. They check the X509 keychain for a certificate and when it doesn’t exist, they fail to authenticate. The annoying part here is that the application doesn’t even have appropriate error messages included. Instead of something logical like the "the certificate is not valid or trusted" the user gets an error that their sign-in name or password is incorrect. Fortunately there’s a workaround and you can add this keychain back to make it functional again.

  1. Open Keychain Access (Using Spotlight to search for it is probably easiest)
  2. Click File > Add Keychain
  3. Browse to Machintosh HD | System | Library | Keychains and select the X509Anchors keychain. Press Open.
  4. Now select the X509 keychain in the Keychain Access window and drag all of the certificates you need onto this window. You should be prompted for your admin credentials.
  5. Now you’ll see a window asking which keychain you want to install the certificates to. Choose X509Anchors and press OK.
  6. Once your certificates are installed, try signing in again. This time it should succeed!


  1. Jan-Willem
    February 10, 2010 at 8:50 PM

    Where do I find the certificates? I am not a system admin, just a simple user. It works on my Windows system. Is there a way to export?

  2. mitsos
    October 26, 2010 at 12:31 AM

    “…and drag all of the certificates you need onto this window.”

    Where do you mean?

  3. Matt
    January 11, 2012 at 2:08 PM

    The keychain is giving me a UNIX error when trying to copy the certificates into it. Any suggestions? Thanks!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: