Error 100013 adding X509Anchors cert in Snow Leopard

My office recently brought up an instance of Office Communications Server 2007 R2.  After connecting via my Windows 7 laptop I decided to try Microsoft Messenger on the Mac.  It seems that Apple and MS cannot make anything simple.  Adding the certificate not only required manually adding a keychain Apple seems to be phasing out, but the way Snow Leopard is configured, trying to add the cert simple produces an Error 100013 which is oh so descriptive.

The error is related to unix permissions.  If you add a certificate to System and try to drag it to X509Anchors this becomes more apparent.  The error message there states “UNIX[permission denied]”.  In the interest in being complete, here is how I got my organization’s root certificate added for OCS 2007 R2.  This might also be needed for Entourage.

  1. Open Keychain Access from Applications/Utilities.
  2. Go to File->Add Keychain.
  3. At this point you are in ~/Library/Keychains.  Browse to /System/Library/Keychains and add X509Anchors.
  4. Right-click the newly added keychain and unlock it.  The password is “X509Anchors”.
  5. Open Terminal.
  6. sudo chmod -R 777 /System/Library/Keychains (don’t worry, we’ll set it back)
  7. Double-click the certificate and add it to the X509Anchors keychain.  I’ve read this need to be a Base64 cert.
  8. Go back to your terminal window.  If you closed it, just open another.
  9. sudo chmod 755 /System/Library/Keychains (no -R this time as the files inside have different permissions)
  10. sudo chmod 644 /System/Library/Keychains/*
  11. Close Terminal and Keychain Access.

That’s it.  In my case I was now able to sign into our OCS 2007 R2 server with MS Messenger 7.0.2.  I was going to try the 8 beta but corporate logon is disable for that.

About Adam Oliver

Adam Oliver has been working in the IT field for over 10 years and is a Sales Engineer for Citrix Systems, Inc. Follow Adam on twitter at Find out more about Citrix at
This entry was posted in Apple and tagged , , , . Bookmark the permalink.

7 Responses to Error 100013 adding X509Anchors cert in Snow Leopard

  1. Mike says:


    I’m trying to do this for OCS in our environment but I think I’m adding the wrong cert. What cert did you add for your company’s organization. I added one of the actual machine certifications where the user pool is located but I couldn’t find the one that would probably apply better in this situation.

    Please note, I don’t manage our CA server here, I’m just the lowly admin that has to get this mac into our AD environment.

  2. Gordon says:

    I just ran into the same issue trying to get a special root CA for icdsoft running on Snow Leopard. Thanks for the post, you saved me a ton of time! You may want to note that I had to restart Keychain Access after changing permissions in order to get the root CA to take.

  3. Michael Schmitt says:

    An easier way is to update the X509Anchors keychain is to run Keychain Access as root; then it doesn’t complain about permissions.

    In Terminal, sudo “/Applications/Utilities/Keychain Access”

  4. Mike Crowley says:

    very helpful, thank you! Now for a way to automate this…

  5. michael posada says:

    I am having trouble with the terminal codes. how do I enter the codes in my terminal. and I don’t see any certs to double click to add to the X509Anchors keychain. basically from steps 6-10 I have trouble executing. Is there a way someone can help me finish this?

  6. Phil says:


    You lost me with Step 6. Can you further explain how to do this? I am unfamiliar with the term “sudo chmod.”

Leave a Reply

Your email address will not be published. Required fields are marked *