Backing-up and migrating a Certificate Authority (CA) signed SSL certificates

[samv]

I’ve recently installed a CA-signed certificate on our Mac OS 10.5.8 Server (our mail server). It is working nicely. The Apple documentation seems to omit detail on backing up and moving CA-signed certificates.

Is backing-up as easy as dragging the certificate from Keychain Access to a folder (results in one ‘mail.abt.com.au.cer’ file) and backing it up?

Or do I need to dig around in /etc/certificates and backup the related files…
mail.abt.com.au.chcrt
mail.abt.com.au.crt
mail.abt.com.au.csr
mail.abt.com.au.key

And once I’ve backed it up, how do I reinstall the CA-signed certificate when I eventually set up a new Mac OS 10.6 mail server? Simply drag it to Keychain? Or drag it to “Certificate” section of Server Admin.

Apple’s server documentation seems to be somewhat deficient in this regard.

If I don’t get a response from anyone I’ll experiment when I set-up with the new server and report back here.

Thanks,

Sam

[samv]

I worked out the solution to my question. The interface described below apply to Mac OS 10.5 Server (I expect Mac OS 10.5 Server will be similar but I haven’t yet had a chance to look at 10.6 Server).

To restored a Certificate Authority (CA) signed certificate it is important to backup at least two files:
mail.abt.com.au.[b]crt[/b] (Certificate)
mail.abt.com.au.[b]key[/b] (Private Key)

Two other files are not so critical for backup:
mail.abt.com.au.[b]crtkey[/b] (Certificate & Private Key)
mail.abt.com.au.[b]chcrt[/b] (Chained Certificate?)
mail.abt.com.au.[b]csr[/b] (Certificate Signing Request)

To import/restore a certificate (Certificate Authority signed certificate) in Server Admin:
1. Server Admin
2. Certificates
3. Import

[url]http://users.tpg.com.au/samven1/import_certificate.png[/url]

Certificate File > mail.abt.com.au.[b]crt[/b]
Private Key File > mail.abt.com.au.[b]key[/b]
Certificate Authority File > mail.abt.com.au.[b]crtkey[/b] or mail.abt.com.au.[b]chcrt[/b] or mail.abt.com.au.[b]crt[/b]

Enter ‘Private Key Passphrase’ if you elected to use a passphrase when you initially created your certificate (at self-signing stage).

Obviously, good IT administration dictates you backup your Certificate Authority (CA) signed certificates. Some CAs provide a re-issuing service. But this is the last thing you want to worry about if you have to rebuild a server in a hurry. All the best!

[generic_penguin]

Hi Sam. Long time no see

Wait till you need to do this in 10.6, it has changed again

I suggest having a read of the “Advanced_Server_Admin_v10.6.pdf” available on Apples website about ssl certificates. However, it does not tell you how to backup and restore your certificates

Under 10.5 server

The certificates lived in /etc/certificates

In this case

domainname.com.au.chcrt
domainname.com.au.crt
domainname.com.au.crtkey
domainname.com.au.key

The ones you need being

* domainname.com.au.crt
* domainname.com.au.key

You can import the certificates on a 10.5 or 10.6 server under the Server Admin select import and select the .crt file for the certifcate and .key file for the private key.

So anyone wishing to backup or restore there SSL certificates would simply backup /etc/certificates/

However in 10.6 server

The certificates still live in /etc/certificates but the private key is now encrypted and the file format changed to .pem

In this case

domainname.com.au.*************************************.cert.pem
domainname.com.au.*************************************.chain.pem
domainname.com.au.*************************************.concat.pem
domainname.com.au.*************************************.key.pem

If you were backing up the server you would need to copy the

* /etc/certificates/
* /Library/Keychains/System.keychain : which controls the password to decrypt the private key

The private key “domainname.com.au.*************************************.key.pem” is encrypted by the OSX Server admin on import / creation time

To retore the ssl certificate you need to find the encryption password key
Lauch the keychain Access program and search for “Name : Mac OS X Server certificate management, Kind : application password”
If you have multiple entires in here select the one with the Date Modified being the day you imported the certificate
Double click and select “Show password” and enter the password of the server
This will give you the password to decrypt the private key. It should be in the form of numbers and letters as ********-****-****-****-************

You can now import the SSL certificate onto another server whether that be a backup server in case or primary failure or your new server to replace your old one

You do this in the Server Admin program under certificates. Select the + button and import

* domainname.com.au.*************************************.cert.pem, which is the .crt file “certificate”
* domainname.com.au.*************************************.key.pem, which is the .key file “private key”

Drag the domainname.com.au.*************************************.cert.pem and domainname.com.au.*************************************.key.pem. “the encrypted private key”
It will ask you for a password, enter the password found above in the keychain access program

For other 3rd party application such as Kerio Mail server you may want to use this key as well, to do is it needs to be decrypted

To decrypt the ssl key you will need to be in the terminal {sub domainname.com.au.************************************* for your certificate

$ sudo openssl rsa -in /etc/certificates/domainname.com.au.*************************************.key.pem -out /etc/certificate/key-decrypt.pem

Your decrypted private key is now found at /etc/certificate/key-decrypt.pem

You can now use this decrypted private key with your certificate key to import into another 3rd party program on that server such as Kerio Mail or you can use this to import into the Server Admin without asking for your password key

NOTE : For those that have a singed certificate that is not signed by a direct root authority you will need to also copy their intermediate chain certificate and import that into your keychain on the new server. Generally speaking you really don’t need to back this one up this intermediate chain certificate is easily available / downloadable on the website of the signer. Example godaddy’s can be found at https://certs.godaddy.com/anonymous/repository.seam

[Author]

Posts