Apple gets a lot of things right. Personal certificate handling in Keychain/Safari is not one of them.
I use a handful of different personal SSL certificates in my browsing. MIT requires one to access certain secure sites, and I have another one for Open Science Grid services. A couple of days ago I generated a third certificate that allows me to login to my OpenID account without a password. As I understand it, the W3C specification requires a browser to try all of these certificates at a secure site until one matches. Firefox does this beautifully, and Camino gets it right as well (modulo a funky bug or two). Safari? It picks one cert and sticks with it, even if that cert has nothing to do with the website in question. What’s worse, if you’re unlucky and it picks the wrong cert for the site, the error message is the singularly unhelpful
Safari can’t open the page “http://example.com/blah.html” because it couldn’t establish a secure connection to the server “example.com”.
In the initial release of Leopard a user could work around this bug by setting up “Identity Preferences” in the Keychain. By ctrl-clicking on a Personal Certificate in the Keychain and selecting “New Identity Preference”, the user could associate a certificate with one or more URLs. Keychain was awfully picky about the formatting of the URLs (i.e., no trailing slashes), but at least it was something. Now it appears that in Safari 3.1 the Identity Preferences in Keychain are no longer respected (rdar://5848801). Come on, Apple!
Apple certainly knows about the issue with multiple certs; here’s a long thread on the discussion forums about it. If you believe the commenters in that thread, it’s an easy fix in Safari, but the changes to the Keychain (upon which several applications depend) are dramatic enough that Apple does not plan to fix it, ever. What a shame. Hopefully we can at least get the Identity Preferences working again sooner rather than later.
