10.6.8 Installing SSL Certificates Correctly

I am well aware of how to install and setup SSL certificates in OSX Server but that was not always the case. I am writing this how to for those less experienced who may find this article helpful. There are two types of SSL certificates, that you can use on your OSX Server. Self Signed Certificates are ones that are created on the server and are not digitally verified by a third party service. You can use these certificates to encrypt or secure your servers services but you will ultimately confuse users due to the never ending string of warnings about untrusted certificates. The second type of certificate requires a self signed certificate as the base but then gets verified by a third party service. We use GoDaddy for our certificates and they work pretty well, there are many other services out there that offer moderately priced certificate verification services that will offer a trusted connection. This type of certificate is transparent to the user and simply encrypts the data without any warning message.

What I struggled with for a while as a System Administrator with little experience in the SSL realm was that no matter how many ways I tried to install the certificate for use on my server users would still get warnings saying that the certificate was not trusted. Through some trial and error and luck I figured out the proper steps to making sure that all of your services and your users can use SSL without the heartache of untrusted warning messages. The steps to follow are simple:

1. Create your Self Signed certificate in Server Admin.
2. Generate a CSR request.
3. Import the CSR into the SSL Certificate authority.
4. Import the returned signed certificate into your server.
5. Import the returned intermediary certificate into your server.
6. Configure Apache to work with your certificate.
7. Restart and re-assign certificates to your services.

Step 1:
Launch Server Admin and select the hostname of the server that you are configuring. Chose the Certificate icon to display the “Default” self-signed certificate. You’ll need to edit this to something appropriate for your server. It’s important that you set the “Common Name” field to the fully qualified domain A-name of your server. Once you’ve edited your self-signed Default certificate, you next need to generate the CSR.

Step 2:

In the same pane in Server Admin is the little sprocket pull-down with the option to “Generate a Certificate Signing Request (CSR)…”. A window will pull down with a field to enter an email address. Don’t bother with this. Just drag the certificate icon to your desktop. Sitting on on your desktop is a text clipping that looks like this: