Articles May 6, 2010 at 8:24 am

Backing up and restoring SSL certificates in 10.5 and 10.6

Some tips on where the certificates you've set up with Server Admin are hiding on your system and the differences between 10.5 and 10.6 in this regard.

Read on for where everything lives an what to do about it… 

SSL certificates storage has changed in 10.6 from 10.5

I suggest having a read of the "Advanced_Server_Admin_v10.6.pdf" available on Apples website about ssl certificates. However, it does not tell you how to backup and restore your certificates 

Under 10.5 server

The certificates lived in /etc/certificates

In this case


The ones you need being


You can import the certificates on a 10.5 or 10.6 server under the Server Admin select import and select the .crt file for the certifcate and .key file for the private key.

So anyone wishing to backup or restore there SSL certificates would simply backup /etc/certificates/ 

However in 10.6 server

The certificates still live in /etc/certificates but the private key is now encrypted and the file format changed to .pem

In this case


If you were backing up the server you would need to copy the

  • /etc/certificates/
  • /Library/Keychains/System.keychain : which controls the password to decrypt the private key

The private key "*************************************.key.pem" is encrypted by the OSX Server admin on import / creation time

To retore the ssl certificate you need to find the encryption password key

Lauch the keychain Access program and search for "Name : Mac OS X Server certificate management, Kind : application password"

If you have multiple entires in here select the one with the Date Modified being the day you imported the certificate

Double click and select "Show password" and enter the password of the server

This will give you the password to decrypt the private key. It should be in the form of numbers and letters as ********-****-****-****-************

You can now import the SSL certificate onto another server whether that be a backup server in case or primary failure or your new server to replace your old one

You do this in the Server Admin program under certificates. Select the + button and import

  •*************************************.cert.pem, which is the .crt file "certificate"
  •*************************************.key.pem, which is the .key file "private key"

Drag the*************************************.cert.pem and*************************************.key.pem. "the encrypted private key"

It will ask you for a password, enter the password found above in the keychain access program

For other 3rd party application such as Kerio Mail server you may want to use this key as well, to do is it needs to be decrypted

To decrypt the ssl key you will need to be in the terminal {sub************************************* for your certificate

$ sudo openssl rsa -in /etc/certificates/*************************************.key.pem -out /etc/certificate/key-decrypt.pem

Your decrypted private key is now found at /etc/certificate/key-decrypt.pem

You can now use this decrypted private key with your certificate key to import into another 3rd party program on that server such as Kerio Mail or you can use this to import into the Server Admin without asking for your password key


For those that have a singed certificate, that is not signed by a direct root authority you will need to also copy their intermediate chain certificate and import that into your keychain on the new server. Generally speaking you really don't need to back this up asintermediate chain certificate are easily available / downloadable on the website of the signer. Example godaddy's can be found at

Leave a reply

You must be logged in to post a comment.