Home Forums OS X Server and Client Discussion Questions and Answers certificate assistant – keychain access – certificate already exists error

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • June 24, 2008 at 5:48 pm #373230
    stmoddell
    Participant

    Howdy,

    Posted this question in the web portion of the forum, but realize it isn’t web related, So cross posting here.

    —–

    Using the article on afp548 for rolling your own CA, I made significant progress in creating a CA. Unfortunately I’ve made a mistake (or three) and now am having trouble getting back to neutral ground.

    I have run into one issue which is that I made the mistake originally of creating the server cert (after creating the CA) as self signed. I further compounded that issue by deleting the server cert and its keys. When I created a newer server cert, as a leaf off the CA, I make it thru the entire process, but at the end it fails saying the cert already exists. Unfortunately I can’t figure out how to back out of this corner I’ve painted myself into. I’ve rm’ed the certs from the keychains, and I’ve made sure they aren’t in /etc/certificates, but still will get the same error. I’ve tried creating a new keychain, and still will arrive at same error.

    Any advice? Hints?

    June 27, 2008 at 8:30 pm #373254
    stmoddell
    Participant

    solved this issue, at least functionally. resolution posted on apple discussion forum
    http://discussions.apple.com/thread.jspa?messageID=7434613#7434613

    June 28, 2008 at 5:48 pm #373260
    khiltd
    Participant

    You should really just do this through openssl directly. Keychain Access is terribly broken.

    June 28, 2008 at 7:12 pm #373261
    stmoddell
    Participant

    any chance you’d provide ‘how to’ instructions, or point at some existing documentation on this?

    thus far i found key chain access to work fine for creating the CA, ssl certs, and vpn server cert. Where it has all fallen down is trying to get cert to work on vpn client. From what i’ve been able to find online, it looks like no one is using certificate enabled VPN.

    to clarify, I’ve been able to enable server side use of certificates on VPN, but unable to get client side to recognize any kind of certificate for use with VPN.

    June 30, 2008 at 5:29 pm #373271
    khiltd
    Participant

    [QUOTE][u]Quote by: stmoddell[/u][p]any chance you’d provide ‘how to’ instructions, or point at some existing documentation on this?
    [/p][/QUOTE]

    The abridged version:

    [code]Generate an RSA Key:

    openssl genrsa -des3 -out ca.key 2048

    Generate a CA:

    openssl req -new -x509 -days 365 -key ca.key -out ca.crt

    Generate another RSA Key:

    openssl genrsa -des3 -out server.key 2048

    Generate a Certificate Signing Request:

    openssl req -new -key server.key -out server.csr

    Sign:

    ./sign.sh server.csr

    Decrypt key:

    cp server.key server.key.original
    openssl rsa -in server.key.original -out server.key [/code]

    Scads of other examples are just a Google away.

    June 30, 2008 at 5:57 pm #373272
    stmoddell
    Participant

    thank you.

    any idea if this will clear up my inability to get certs to work for vpn (client… server will accept a vpn server cert, but can’t get client to recognize any kind of cert for vpn)

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.