Untrusted Keychain Certificates after clean install. Please help!

[Microchip]

Hi everybody,

I just did a clean install of Lion on my Mac and in my keychain utility I have two untrusted "system" certificates:

Com.apple.kerberos. kdc
Com.apple.systemdefault

I have done a lot of research online but found so much conflicting info! Some say these certificates should not be there and to delete them, others say deleting them will cause system instability, others say they are a bug that Apple is aware of.

I am hoping some of you kind folks on the forum can help me find clarity. Perhaps you too have these certificates? Or maybe you know what they really are? Hopefully not some backdoor for hacks, etc? I want my new system to be safe.

Thanks for any and all help!!

 

[honestone]

First, the name of that first certificate is actually com.apple.kerberos.kdc (no space between kerberos. and kdc).

Secondly, I am using the latest version of El Capitan (10.11.6), and the only "such" file I have is called "com.apple.Kerberos.kdc.plist (note the capitol K), located at /System/Library/LaunchDaemons.

Third, I have been using the excellent freeware program Onyx for quite some time, and one of the tasks you can do with it is Rebuild LaunchServices, dyld's shared cache, XPC cache, CoreDuet database, Mac Help, and Location of folders' names (there are other choices on that screen, but some of them do not apply to me, and a couple of them come with a "strong" warning). I actually do not understand a lot of that, but when I did a google search of the file name "com.apple.kerberos.kdc", some links mentioned .DS_Store files (that is one I do not have checked).

Not sure if that stuff with Onyx helps with this, and also whether or not El Capitan does not have such files, but I certainly do not have either of them.

 

[Microchip]

First, the name of that first certificate is actually com.apple.kerberos.kdc (no space between kerberos. and kdc).

Secondly, I am using the latest version of El Capitan (10.11.6), and the only "such" file I have is called "com.apple.Kerberos.kdc.plist (note the capitol K), located at /System/Library/LaunchDaemons.

Third, I have been using the excellent freeware program Onyx for quite some time, and one of the tasks you can do with it is Rebuild LaunchServices, dyld's shared cache, XPC cache, CoreDuet database, Mac Help, and Location of folders' names (there are other choices on that screen, but some of them do not apply to me, and a couple of them come with a "strong" warning). I actually do not understand a lot of that, but when I did a google search of the file name "com.apple.kerberos.kdc", some links mentioned .DS_Store files (that is one I do not have checked).

Not sure if that stuff with Onyx helps with this, and also whether or not El Capitan does not have such files, but I certainly do not have either of them.

Thanks for your reply. All I am trying to establish is if these certificates are safe and part of Lion? As stated above, the certificates were there right after a clean install...

Anybody have any tips?

 

[Spawn_Dooley]

I did a quick search myself & found the following which you may or may not already have seen. I can't vouch for the authenticity as I hadn't even heard of either until your post. But I have com.apple.Kerberos.kdc.plist on my computer.

com.apple.kerberos.kdc is a self-signed key used for Kerberos authentication when you log into another Mac in your local area network, log into Back To My Mac, log into iCloud or MobileMe, or use Apple screen sharing.

It is necessary for automatic negotiation and encryption of the username and password for these functions. It's not signed by a CA because it's not unique to a particular computer, which is why it's "not trusted". If you delete it, you will not be able to automatically log in to any of those services, even if you tell the system to remember your username and password in the Keychain.

I believe, though I'm not sure, that com.apple.systemdefault is used to automatically log you on to the computer if you have automatic login available. It also isn't signed by a CA because it's the generic encryption key that is used to protect your system password. Deleting this certificate could cause problems with logging on to your compute; I recommend leaving it alone.

 

[honestone]

What version of Lion? The last one from Apple was OS 10.7.5, and I assume that contains all updates (Security and others) Apple did after the initial release of Lion, OS 10.7, came out. Apple might have removed those two files (and other stuff) with updates.

I am going to try real hard and remember this when I do a clean, "virgin" installation of Sierra, OS 10.12 (and I'll also check after applying the OS 10.12.1 update).

 

[Microchip]

Thank you honestone and Spawn_Dooley for your replies. I will reinstall Lion (10.7.2) where these certificates are (as I manually deleted them yesterday) and then update to 10.7.5 and see if the certificates are still there and get back to you.

If you think of anything in the meantime please let me know. Thanks again.