This has always been a mystery to me - how to tell Safari I want to use two personal certificates, one for each site. Until now I’ve trusted Firefox with this matter. But I wanted to give Safari another chance, now that version 3 & leopard are out. And guess what - it can be done! I can now successfully acces both, Klik NLB online banking and e-Student, student’s portal of my university. To share the knowledge, here’s a short tutorial on how to do this, or at least how I did it. This is for Safari on a mac of course, I have no clue how to do this in Windows.

By default, prior to importing any certificates, Safari will fail to open https://klik.nlb.si/ and https://estudent.uni-lj.si/ won’t recognize you.

My first problem was a corrupted keychain. I’ve imported the keychain from my old system to Leopard and it seemed a bit buggy ever since, always asking me for my password, regardless of selecting “always allow”. But then I found the Keychain First Aid (It’s in the Keychain Access, in it’s application menu - the one that reads “Keychain Access”). I tried verifying my Keychain, but it failed due to login keychain not being in my home directory. Repair fixed this. Keychain seemed to actually remember things I told it to remember now.

But even after this fix I couldn’t get klik to load properly, so I just deleted my whole login keychain. You probably don’t have to do this - just remove any certificates that could play a role in the whole process. You’ll probably ind them in the login and System keychains. I also deleted Safari caches here. Just in case.

I had previously exported both my certificates via Firefox into .p12 files. So now I imported the one from NLB into keychain - Open Keychain access, click on the login keychain, then File -> Import items…

I closed Safari, opened it again and navigated to https://klik.nlb.si/. I was greeted with their certificate. I chose to always trust it and also always allow Safari to access my personal certificate from the keychain. Klik recognized me and I could log in.

Next, I imported the sigen-ca certificate (for e-student) into keychain, navigated to https://estudent.uni-lj.si, again clicked “always trust” when presented with a certificate, but I didn’t seem to get recognized. My guess is, Safari was reading the wrong one of my personal certificates.

So here comes the key part - In Keychain access, I right clicked my nlb personal certificate (the one with my name in it), and selected “New identity preference…”. Under location, I entered “https://klik.nlb.si/” and chose the correct one of the two certificates. The klik certificate is “Dusan Smolnikar”, while sigen-ca reads “DUSAN SMOLNIKAR”. Then I did the same for my sigen-ca certificate, where I entered “https://estudent.uni-lj.si” and selected the other personal certificate. I’m not sure wether the lack of trailing slash does anything, but I’ve read somewhere it makes a difference. Experiment if it doesn’t work at first. What I did here, is I matched the certificates with the correct urls, so Safari doesn’t have to guess.

Now, closing Safari and opening it again, klik and e-student both recognized me and I could log into them. I’m happy.