Mac Messenger\Live Communication Server certificate error (Digital certificate file is not valid)
We recently changed our Live Communication Server certificate from an externally provided CA (IPSCA) and began using a internally provided certificate from our internal PKI. We wanted to utilize Subject Alternate Names, without the cost of public Certificate Authorities. All Messenger and Office Communicator clients honored the new cert, except MACs. The problem is the fact that our internal trusted root CA is not in the X509Anchor trusted list. This is different than the "System" trusted list. By default, VeriSign and IPSCA are, as well as dozens more.
We were able to resolve the issue by adding the root cert to the local client. Below are the steps we followed……..
LCS 2005 & Messenger for the Mac on Leopard
One of the changes with OS X 10.5 Leopard is the lack of the X509Anchors keychain being installed by default. The problem this creates is that a lot of Microsoft applications for the Mac depend on this keychain for their certificate authentication. They check the X509 keychain for a certificate and when it doesn’t exist, they fail to authenticate. The annoying part here is that the application doesn’t even have appropriate error messages included. Instead of something logical like the "the certificate is not valid or trusted" the user gets an error that their sign-in name or password is incorrect. Fortunately there’s a workaround and you can add this keychain back to make it functional again.
Open Keychain Access (Using Spotlight to search for it is probably easiest)
Click File > Add Keychain
Browse to Machintosh HD | System | Library | Keychains and select the X509Anchors keychain. Press Open.
Now select the X509 keychain in the Keychain Access window and drag all of the certificates you need onto this window. You should be prompted for your admin credentials.
Now you’ll see a window asking which keychain you want to install the certificates to. Choose X509Anchors and press OK.
Once your certificates are installed, try signing in again. This time it should succeed!