10.6.8 Installing SSL Certificates Correctly

July 16th, 2011

I am well aware of how to install and setup SSL certificates in OSX Server but that was not always the case. I am writing this how to for those less experienced who may find this article helpful. There are two types of SSL certificates, that you can use on your OSX Server. Self Signed Certificates are ones that are created on the server and are not digitally verified by a third party service. You can use these certificates to encrypt or secure your servers services but you will ultimately confuse users due to the never ending string of warnings about untrusted certificates. The second type of certificate requires a self signed certificate as the base but then gets verified by a third party service. We use GoDaddy for our certificates and they work pretty well, there are many other services out there that offer moderately priced certificate verification services that will offer a trusted connection. This type of certificate is transparent to the user and simply encrypts the data without any warning message.

What I struggled with for a while as a System Administrator with little experience in the SSL realm was that no matter how many ways I tried to install the certificate for use on my server users would still get warnings saying that the certificate was not trusted. Through some trial and error and luck I figured out the proper steps to making sure that all of your services and your users can use SSL without the heartache of untrusted warning messages. The steps to follow are simple:

    1. Create your Self Signed certificate in Server Admin.
    2. Generate a CSR request.
    3. Import the CSR into the SSL Certificate authority.
    4. Import the returned signed certificate into your server.
    5. Import the returned intermediary certificate into your server.
    6. Configure Apache to work with your certificate.
    7. Restart and re-assign certificates to your services.

Step 1:
Launch Server Admin and select the hostname of the server that you are configuring. Chose the Certificate icon to display the “Default” self-signed certificate. You’ll need to edit this to something appropriate for your server. It’s important that you set the “Common Name” field to the fully qualified domain A-name of your server. Once you’ve edited your self-signed Default certificate, you next need to generate the CSR.

Step 2:

In the same pane in Server Admin is the little sprocket pull-down with the option to “Generate a Certificate Signing Request (CSR)…”. A window will pull down with a field to enter an email address. Don’t bother with this. Just drag the certificate icon to your desktop. Sitting on on your desktop is a text clipping that looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw
EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l
eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r
uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM
MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv
tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB
AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi
PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K
9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC
-----END CERTIFICATE REQUEST-----

Step 3:
Here is where you will actually purchase the certificate. Head over to GoDaddy or any other vendor that sells SSL certificates and enter your information. When it asks you for your CSR enter the text in your text clipping. Be sure to include the “—BEGIN CERTIFICATE REQUEST…—” and “—END…—” lines! Once your certificate request has been verified you will be ready to proceed to the next step.

Step 4:
Usually within a couple hours, you should get an email with your new SSL certificate. The email will come with instructions, but if you have a stock Snow Leopard Server, it might be better to do it “the Mac way” instead of using their generic Apache instructions.

Back in Server Admin, select that self-signed certificate you edited earlier in Step 1, go to that little sprocket thing again, and this time choose “Add Signed or Renewed Certificate from Certificate Authority…”. You’ll have a window drop down–drag and drop all of the .crt files you got from your SSL provider here. That’s your signed certificate. Server Admin will put all the parts where they belong.

Step 5:
Here is where most inexperienced Server Admins stop, this is not the last step. The certificate is valid in Server Admin however, it relies on the Keychain in the OSX Server to validate requests. Open Keychain Access, you’ll see that it says (in red letters) “This certificate was signed by an unknown authority.” You need add the intermediary certificate to your server. To do so double click on the gd_intermediate.crt file and it should automatically update that certificate to a nice green color and render it as valid.

Step 6:
Now that you have Server Admin configured and the Keychain is happy, you need to add the gd_bundle.crt file and configure Apache. This is less daunting then you might think. You should get a gd_bundle.crt file when you purchase your certificate. If you have a .crt file that has the word “Bundle” somewhere in it then this is the file you need to use. Copy this file to the /etc/apache2/ folder on your server. You will need to copy it as root! If your file is named gd_bundle.crt then copy and replace the one that exists on your server. Once done your finished with this step.

If your file is not named this way then copy the file into your /etc/apache2/ folder and modify the http.conf file located there and update this path, see below:

<IfModule mod_ssl.c>
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    SSLPassPhraseDialog exec:/etc/apache2/getsslpassphrase
    SSLSessionCache shmcb:/var/run/ssl_scache(512000)
    SSLSessionCacheTimeout 300
    SSLMutex file:/var/log/apache2/ssl_mutex
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    AddType application/x-x509-ca-cert crt
    AddType application/x-pkcs7-crl crl
    SSLCertificateChainFile /etc/apache2/the_name_of_your_ssl_bundle_file.crt
</IfModule>

After saving httpd.conf, test out your Apache 2.2 configuration file by invoking this command.

bash-3.2# apachectl -t
Syntax OK

Step 7:
This last step is the one that had me banging my head against a wall for the longest time. You must restart your server once done, you must go through all of the services running on your server and un-assign, save and then re-assign and save the SSL certificates you need. This is the only way that I was able to get my Mail service and Web services (web sites) working with SSL consistently. Once done another restart does not hurt. Test and verify that everything is working.

I really hope that you find this walkthrough useful. If you did please leave a comment below, post a question or suggest a better, easier or different way to manage and install SSL certificates on an OSX Server.


Do you need system administration assistance? Find me over at LinkedIn and friend me! I give help for a small monetary donation and good feedback. If you like what you are reading please consider subscribing to the RSS feed for comments on this post. If you have feedback you can leave a response, or trackback from your own site.

Comments


Comment by Skip

This was great … but I have one question … what’s the “bundle” file. When I got my email instructions and ssl certificates there’s no mention of a bundle file. Just two … the my domain.crt and the intermediate.crt …

Reply

By Jon Brown

Depending on where you got your certificates there are different kinds of certificates. When you buy an SSL certificate you should get all the files you need for various configurations. The files you need for Apache are different from the ones you need for other services. Some companies include Apache in the SSL while others charge for them separately or not at all. I wrote the tutorial with Go Daddy as the vendor. There will be issues with Apache if you do not have an Apache .crt file, you will get warnings saying “This certificate may not be trusted” in Firefox. If you can deal with those then you should be fine.

Reply

[...] underline;}Mike Johnsons Personal Blog – SSL certificate installation on Ubuntu/Nginx10.6.8 Installing SSL Certificates CorrectlyHow to Install a GoDaddy SSL Certificate in WHMHow to install an SSL certificate on CentOS for [...]

Comment by Graham

What if any considerations are there to installing and setting up SSL certificates on privately addressed servers? Our self-signed certificates are expiring, and I am considering switching to verified certificates precisely to avoid the “trust” issue. However, I read that it’s not quite “kosher” to verify certificates on servers not publicly addressable. For that matter, I am not quite versed in the matter of why I even need SSL besides (if I recall correctly) for Open Directory at setup of replicas (which I need). I don’t really suppose that I can do without SSL but could use some help gaining perspective on the question. Thanks for any guidance.

Reply

By Jon Brown

This is my opinion. SSL certificates serve two purposes to automatically secure connection and communications between client computers and servers, as well as to inform clients that their connection is trusted. Trust me know one knows more than me the plight of having a self signed certificate display as untrusted. Since the traffic to the server is internal and not external using a publicly signed SSL certificate is more than fine, because the SSL certificate agent uses the CSR to validate your server, it does not need to be public. However some agencies require the DNS on the server to point to a public IP address which can be problematic. I use GoDaddy specifically because they do not require that. You can create the OD Master with replicas without SSL in fact Apple stated to me verbally that in 10.5 and 10.6 it was more stable to not use SSL certificates. To encrypt or secure connections they suggested changing the ports on which the servers talked to each other and changed the SSH port as well. I use signed certificates on internal servers to avoid the issue of having a trusted connection warning and I have never had an issue.

Reply

Comment by Rusty

Thank you for the detailed instructions.

Could you please provide your thoughts on this question. I only need to create an SSL cert to be used for my email server (mail.example.com) and not the entire http://www.example.com. In that case, when I create the SSL and specify the name, do I use http://www.example.com or mail.example.com ?

I would like to use http://www.example.com because I assume I can then use the cert in other areas of the domain (such as login access or e-commerce). Is my understanding correct in that I can use http://www.example.com and apply it to sub-services such as mail, login, e-commerce etc without needing to purchase additional SSL certs?

Thank you kindly for your advice.

Rusty

Reply

By Jon Brown

You should use a wildcard domain certificate. This kind of certificate allows you to purchase one certificate and then use it for

example.com
http://www.example.com
mail.example.com

etc… you can use it for any subdomain or the main domain. However some browsers like Firefox will translate a wildcard certificate in a way that causes an error on the grounds that its a “Domain Mismatch” which its not, if your looking for a foolproof solution then purchasing two certificates one for

example.com

and

mail.example.com

would ensure that all browsers will properly accept your certificate.

Reply

Comment by Rusty

Thanks very much for that explanation, clears it all up!!

Reply

Comment by Witold

How do you create and install a self signed root certificate to replace the expired one?

Reply

By Jon Brown

Drag the new certificate and corresponding key file in the update window that appears in Server Admin or Server App. You then must double click on both of them in the finder to add them to the keychain on the server. Refer here for more of the nitty gritty details.

Reply