Installing and creating your own SSL certificate on Mac OS X Server
Updated 6 May 2002
 |
Self-signed SSL CertificatesWe created a self-signed SSL certificate for AFP548.com and have experienced no troubles accessing it from Jaguar Server. |
Almost everything that you need to set this up is available to you in a stock install of Mac OS X Server. Apple actually has an article on using modSSL, the SSL part of apache, to do this on their developer site, but here is a slightly abbreviated version.
We are going to create our own certificate authority (CA) to sign the SSL certificate. This is great for testing and in-house use on websites, but for people who haven’t installed the CA they will get errors in Internet Explorer. So it is best to use this just for corporate e-mail and other services that the general public won’t see. If you are really interested in doing any kind of e-commerce with the public it would be best to pay the $200 (US) to Verisign to get an actual certificate.
So drop down to the Terminal and create a new directory to build all of this in.
mkdir ca
Then begin to build your CA by generating a private key
openssl genrsa -des3 -out ca.key 1024
You will be asked for a password that will secure your CA. It is important to remember this and to also keep it safe.
Now you are going to sign the key to make in into a full CA.
openssl req -new -x509 -days 999 -key ca.key -out ca.crt
The password that you are asked for is the same that you entered when you did the step above this one. You will be asked a series of questions when you do this. Since this CA is not really for public consumption the answers don’t really mean much. You can be as honest as you want.
Now that this is done you need to put it into a different format so that you can import it into Internet Explorer and trade one set of annoying messages for another.
openssl x509 -in ca.crt -out iecert.crt -outform DER
Keep this file someplace where you can link to it from a website or have it in a directory listing in a website. When you download this through IE it will identify it as a CA and ask you if you want to import it. Do this. It will then ask for a password. This is NOT the password you supplied when creating the certificate. This is a new password to “protect” your CAs that you have set up in IE. I don’t know any real rational reason why you would need this protection, but hey roll with it. It is probably easiest to just leave the password blank on all of these. The side effect of importing the CA is that from now on whenever you enter a secure site for the first time after IE is launched you will have to enter the password to unlock the CAs. If you don’t import the certificate IE will warn you every time you go to that site that the connection is not secure. This is not true, if you sniff the packets you will see that they are encrypted, but whatever.
Now you can use this CA to sign server certificates to secure your websites. You will need one for each domain that you have, i.e., mail.afp548.com and www.afp548.com will each need one if you want to secure both sites.
So first we will generate a new private key.
openssl genrsa -des3 -out server.key 1024
You will be prompted for a password here also. This can be the same or different from the password for the CA. Just remember it because you will need to enter it into the server admin to get SSL running.
Now you need to generate a request with the private key.
openssl req -new -key server.key -out server.csr
Again you will be asked for a password this is the one you entered in the step above. Then you will get a bunch of questions. They all really don’t matter except for common name. This needs to be the fully qualified name of your webserver, like www.afp548.com. If this is wrong you will get errors in the browser. Also it is best to leave the challenge password blank.
Now we need to set up a few folders so that we can actually sign the certificate. This used to be done with a script from the openssl distribution, but that isn’t easily available anymore so we’ll do this the hard way.
mkdir -p demoCA/private cp ca.key demoCA/private/cakey.pem cp ca.cert demoCA/cacert.pem mkdir demoCA/newcerts touch demoCA/index.txt echo “01” > demoCA/serial
You can now actually sign the server certificate with your newly minted CA.
openssl ca -policy policy_anything -in server.csr -out server.cert
The password you are prompted for is the password you assigned to the CA, the first one, not to the certificate itself. If you need to create more certificates you will only need to do the last three steps for each.
Now you can take all of your pieces and make the sites secure.
Go into Server Admin. First of all make sure that SSL is enabled on the first pane of “Configure Web Service". Then go to the site that you want to secure. Change the port to 443 and then click on the security tab and enable SSL by checking the box at the top. Then you need to open up some of the files that you have created in TextEdit, or any text editor, and copy and paste them into the three appropriate spots. Copy server.crt into “Edit Certificate File.” Copy server.key into “Edit Key file,” and copy ca.crt into “Edit CA Certificate file."
Stop and start your webserver and test it out using https://your.site.com
Addendum (25 February 2002)
After creating and installing your SSL certificate you need to manually alter the config file for the server to get higher than 56 bit encryption. By default OS X Server will only do low-level encryption, even with a high-level certificate. I imagine that this is a holdover from the recent export restrictions that was just never taken out.
Anyhow, you will need to open up the /etc/httpd/httpd_macosxserver.conf file. In there at the end of the file you will find a section for each of your virtual sites. For every site that uses SSL you will find a line that looks like this “SSLCipherSuite “RSA:-HIGH:-MEDIUM:-LOW:+EXP".” You will need to change this to “SSLCipherSuite “ALL"."
Start and stop your server and you will now have 128 bit encryption on the certificate that you created.
Thanks to Jon Moog on the server list for this last bit.