Contribute  :  Advanced Search  :  Directory  :  Forum  :  FAQ's  :  My Downloads  :  Links  :  Polls  
AFP548 Changing the world one server at a time.

advanced search 

Sections

Home
AFP548 Site News (107/2)
Articles (282/26)
Apple (50/2)
Extended KB (3/1)
Ask AFP548 (16/42)
Reviews (5/1)
Security (16/2)
Tips (130/8)
Third Party Applications (53/6)
Odds and Ends (28/1)
Podcasts (2/0)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

Poll

Do you want push services for the iPhone on Mac OS X Server?
Yes! Expand the existing stuff!
Yes! Apple should add EAS support!
No! I just use another service that already has push.
Results
80 votes | 0 comments
Welcome to AFP548
Thursday, July 29 2010 @ 09:31 am MDT
   

Certificate Assistant - Rolling your own CA on Tiger

Saturday, August 13 2005 @ 01:40 am MDT
Contributed by: MacTroll
Views: 19,790
ArticlesCome find the hidden sparkle of the Certificate Manager! Never have to use the openssl commands again! Well almost never.

All you should have to know to create your own CA and get Server Admin to use the certs you've created.

While it's rather interesting that Server Admin can generate certificates for you, it's rather annoying that you can't easily set up your own root certificate with it. By this I mean, that for proper management in larger organizations it's typical to create a root certificate and then sign all server certificates with that root. This way you only have to import one CA certificate onto the client machines and they will trust all of your certs that you created with that.

1. log into your server and using Keychain Access create a new keychain, in our example will use one called "CA Keys".

2. Under the "Keychain Access" menu in Keychain Access pull down to Certificate Assistant. This will launch a very promising, and very unknown, little assistant that will eliminate much of the work from doing this.

3. Use Certificate Assistant to "Create a Certificate Authority", the second option in the list. You'll be asked to fill out a few things for the new root CA. Fill the demographic information out as you see fit. Note that the Common Name in the case of a CA is not related to DNS, so call it Great Big CA if you want.

For the lazy, or those who don't want to bother with the hassle of renewing a root CA, I'd suggest upping the Validity Period to a few years at least.

Click though the next six screens leaving them at their defaults.

4. Finally save the new CA into the keychain that you created in step 1. Congratulations, you know have a brand new CA!

5. Your next problem is that even though you have a CA, you're not even trusting it yourself. So go back to Keychain Access and show all of your keychains, the button on the bottom left of the window. If you are an admin user, you should see both and X509Anchors and an X509Certificates. From your CA keychain drag just the certificate looking item to the X509Anchors keychain.

Quit Keychain Access and relaunch it. Now if you look inside the X509Anchors keychain, you should see an entry for the CA that you created. If you select this you should see that the certificate is now valid and has a green check.

6. Now you can create a server certificate from your CA. So back to the Certificate Assistant. If you've left the application open, due to an interesting quirk with it, you may need to relaunch it to get the window of options back.

You want to pick the first option "Create a certificate for yourself" which will start you down the path to signing certs.

In the next screen uncheck the "Certificate will be 'self-signed' (root)" box, and fill out the demographic information. This time it's imperative that the "Common Name" by the full DNS name of the server or site that you are interested in securing.

Now select the CA that you want to use, if you only have one it should be the default. Otherwise you'll probably want this to be the CA that you just created.

Click through the next few screens, again leaving them at the defaults, and finally save the new server cert into the same keychain as your CA.

7. Back to Keychain Access. Select the CA keychain, in there you should now find 3 items with the common name of the server cert that you just created.

Select the certificate itself and under the "File" menu select to export it in PEM format.

Now select the private key with the server's common name on it and also export it. This time the only format option that you'll have will be p12, which makes this a touch annoying but not insurmountable.

When you export it you'll be asked for a password to secure the private key with, you're more than welcome to put one here for extra security or to leave it blank.

8. Now a slightly crafty part. Certificate Assistant exported the private key as a .p12 format, however Server Admin won't accept it in that style. So we're going to have to convert the key into something that we can use.

In the terminal find the p12 file and convert it using openssl like such:

openssl pkcs12 -in your.key.p12 -nocerts -nodes -out key.pem
9. You should now have a new key.pem file. Using Server Admin, go to the Certificates section which you get to by selecting the server itself, the topmost entry, on the list at the left, then Settings then Certificates.

Here's where you can import the new cert with the "Import" button. The Certificate File is the first file that you exported from your keychain, the one that actually was exported as a .pem.

The Private Key File is the new key.pem that you converted from p12.

That's all you need so save it. After which the new certificate should show up in the list and be available to all of the services that can make use of it.
 

What's Related

Story Options

Advertising

Certificate Assistant - Rolling your own CA on Tiger | 33 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Certificate Assistant - Rolling your own CA on Tiger
Authored by: prahn on Sunday, August 14 2005 @ 08:39 am MDT
Thank you for the nice article about the certificate assistant... I was already
playing around with it, but did not really know what to do. When dragging my
created Certificate Authority to the X509Anchors Keychain, I get an error: "The
chosen object already is in the keychain" (I translated it on myself to english,
because I use a german system....). So my CA is still untrusted.

Anyway, I was able to import the certificate into Server Admin. But when I have
a look at the VPN (L2TP) settings, I can not find the certificate in the Pop-Up
menu?! How do I create a certificate, I can use for VPN?
Certificate Assistant - Rolling your own CA on Tiger
Authored by: arekdreyer on Monday, August 15 2005 @ 11:28 am MDT
I get an error message when trying to drag the CA from the "CA Keys"
keychain: "An error has occurred. Unable to add an item to the current
keychain. Then specified item already exists in the keychain.".

Here's how I do it: After creating the CA, you are at a screen where you can
view the config files or mail the info. If you click to view the files, you'll be
switched to the finder, to your "~/Library/Application Suporrt/Certificate
Authority" folder, where there will be a .p7b file. Double click on that file,
and you'll be asked "Do you want to add the certificate(s) from the file
[blah.p7b] to a keychain?" Select the X509Anchors item. You'll of course
need to authenticate as an admin.
Certificate Assistant - Rolling your own CA on Tiger
Authored by: dthompson on Monday, August 15 2005 @ 05:57 pm MDT
I have tried to go through this and everything works as should, however
when I load the cert into server admin and then select it within one of my web
realms, and relead apache, and connect to my site, it still tells me that the
certificate still can't be verified...

Is this normal? I can see that it works from my own cert (CA) that I created,
and added the cert based on that CA into my server realm but it still offers a
warning.

Anyone know anyway around this quirk?? Is there anyway to make my
Certificate Authority be trusted to users who decide to visit my site???

Thanks.
Distributing CA root cert?
Authored by: Anonymous on Wednesday, August 17 2005 @ 04:55 pm MDT
I have successfully set my server to be a CA, and I have services using a
certificate that the CA signed. How do I get my CA's root certificate out to my
users, so that they will trust certs that my CA signs?
Certificate Assistant - Rolling your own CA on Tiger
Authored by: ElgertS on Saturday, August 20 2005 @ 01:22 pm MDT
This article makes references to an application called "Keychain Manager", however the correct name in Mac OS X for this application is "Keychain Access" in the "Utilities" directory.
Certificate Assistant - Rolling your own CA on Tiger
Authored by: prahn on Saturday, August 20 2005 @ 05:05 pm MDT
I did everything you wrote... i have the valid sign and imported my cert into
Server Admin. How do I now configure the VPN client in Tiger to connect over
L2TP with a certificate?

I tried everything: I imported the Public Key, the Private Key and Server
Certificate to the Keychain of the Client. I also put the Root Certificate in the
X509Anchors keychain of the client. I even requested a new certificate via the
Certificate Assistant from client to server and back via Mail (nice working and
integrated workflow!). When configuring the VPN connections I may only
select a certificate for "user authentication", which did not work for me....
when trying to select a cert for "machine authentication" I always get the
error "no machine certificate found".

Anyone know more? Pls help me!
Certificate Assistant - Rolling your own CA on Tiger
Authored by: kalikkalik on Wednesday, August 24 2005 @ 05:09 am MDT
OK; I followed the article (thanks!), and imported the CA cert into the client
mac as well.

No more annoying error messages, but I still cannot sign or encrypt messages
on the client.

Interestingly enough, I CAN do signing on the server (mail on the mac server),
but no encryption either.

Ideas?

Thanks,
kalikkalik
  • Darry Roy - Authored by: Anonymous on Saturday, September 20 2008 @ 05:32 pm MDT
Certificate Assistant - Rolling your own CA on Tiger
Authored by: Anonymous on Monday, August 29 2005 @ 02:25 pm MDT
Good article, but one thing is missing. As far as I can tell, the old limits for SSL with OpenLDAP still exist. If you create a key this way, the private key, even if you don't give it a wrapper password, still ends up wrapped, just with a null password (this is evident when you go to convert the private key... it still asks for an import password). If you give this to Open Directory, Slapd will segfault over, and over, and over again.

Simple solution: http://www.afp548.com/article.php?story=20040722080720854

openssl rsa -in server.key -out serverno.key

Basically, just output it without that wrapper. Everything works then. Really wish Apple would do things right... if you don't put a password, it should leave that wrapper off.

Good luck!
Certificate Assistant - Rolling your own CA on Tiger
Authored by: Anonymous on Thursday, September 29 2005 @ 10:25 pm MDT
HI,

i made it up to step 5, where I have created a root CA and have it flagged as
trusted.
But now I cant create new certs using that CA. The error message, that the
cert assistant provides is: "Sorry there are no valid issuers available to sign
certificates".

For hints and tips thankful

cheers
Certificate Assistant - Rolling your own CA on Tiger
Authored by: Anonymous on Tuesday, November 22 2005 @ 07:21 pm MST
When I try to import into server admin I get an error message pop up "Certificate Import Failed Make sure that the values you entered are correct and that the certificate files on the server are valid"

The certificate for the CA shows valid. (it in the x.509 Anchors) and the conversion of the private key was successful.

Running 10.4.3 version of OS X Server.

Thanks,
Tjp

P.S. Any documentation on what format Server Admin want the certificates and keys in? I can't find it anywhere. And if Apple is listening, how about adding the ability to directly use the Keychain(s)...
Export as p7b and import to X509Anchors
Authored by: pixilla on Wednesday, November 23 2005 @ 04:40 pm MST
Nice totorial. For those having trouble moving the cert to X509Anchors do this.

In "Keychain Access" select the cert you created in this tutorial and choose File->Export, select "Certificate Bundle (.p7b)" from the "File Format:" drop down menu, and choose save. Note the name and where you saved it. We are next going to import this same file.

Now choose File->Import and select your exported p7b file and choose "X509Anchors" from the "Keychain:" drop down menu.

Quit and relaunch "Keychain Access".

It's now in "X509Anchors" keychain as valid with a green check mark.
Certificate Assistant - Rolling your own CA on Tiger
Authored by: Anonymous on Saturday, April 01 2006 @ 12:41 am MST
Hello, I just wanted to post the solution to a problem I had, since it was just by chance that I solved it. I tried to create a certificate signed by my newly created CA from a CSR from a linux web server. The problem that I ran into was that after it finished generating the cert I would get an "Error, -1" and a "Done" button. When I tested the same steps on my desktop, I noticed that at this stage in the process I got a pop-up stating that Certificate Assistant was asking for access to the keychain which contained information about my mail server. After I granted it access, I then got a pop-up from Little Snitch that said Certificate Assistant was attempting to make a connection to my mail server on port 25 (smtp). After that, I got a message stating that the cert was created.

So, after setting up mail for my account on my OS X Server -- success!

Hope this helps someone else, since I just spend the last 3 hours on it. :)

Certificate Assistant - Rolling your own CA on Tiger
Authored by: Franck on Friday, April 21 2006 @ 10:35 am MDT
Great article, I'm now rolling my own CA for different purposes (OpenVPN access, apache, postfix, cyrus imap and so on).

Some questions :

Is it possible to revoke certificates and generate "certificate revocation lists" ?

Sometime the assistant fails to generate new certificates. After investigating, it appears that it tries to generate a certificate with an already used serial number. Modifying the certificate authority config file (in ~/Library/Application Support/Certificate Assistant) by hand (by incrementing the last used serial number) resolves the problem. Is this a known bug of the certificate assistant or a problem on my computer (12" PB running 10.4.6 client) ?
Certificate Assistant - Rolling your own CA on Tiger
Authored by: stmoddell on Tuesday, June 24 2008 @ 01:39 pm MDT
Even though there have been a number of changes to the Certificate Assistant since this article was created it still is quite useful.

I have run into one issue which is that I made the mistake originally of creating the server cert (after creating the CA) as self signed. I further compounded that issue by deleting the server cert and its keys. When I created a newer server cert, as a leaf off the CA, I make it thru the entire process, but at the end it fails saying the cert already exists. Unfortunately I can't figure out how to back out of this corner I've painted myself into. I've rm'ed the certs from the keychains, and I've made sure they aren't in /etc/certificates, but still will get the same error. I've tried creating a new keychain, and still will arrive at same error.

Any advice? Hints?

 Copyright © 2010 AFP548
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 0.23 seconds