Several keychains can hold certificates:

ÂÂ SystemRootCertificates: This keychain holds root certificates that ship with Mac OS X. The certificates already have trust given to them.

ÂÂ System: This keychain holds certificates that the computer administrator can add. All users on a given client can read from this keychain. The trust settings of a certificate in this keychain can override those of a certificate in SystemRootCertificates.

ÂÂ Any other keychain: This holds certificates for a given user and is only accessible to that user. The trust settings of a certificate in this keychain can override those of a certificate in SystemRootCertificates or System.

Trusted certificates can be in any of these locations, but to trust a certificate, trust settings must be given explicitly to a certificate.

To configure clients to trust a certificate:

1Copy the self-signed CA certificate (the file named ca.crt) onto each client computer.

This is preferably distributed using nonrewritable media, such as a CD-R. Using nonrewritable media prevents the certificate from being corrupted.

2Open the Keychain Access tool by double-clicking the ca.crt icon where the certificate was copied onto the client computer.

3Drag the certificate to the System keychain using Keychain Access.

Authenticate as an administrator, if requested.

4Double-click the certificate to get the certificate details.

5In the details window, click the Trust disclosure triangle.

6From the pop-up menu next to “When using this certificate,” select “Always Trust” You have now added trust to this certificate, regardless of who it is signed by.

From the command line

After copying the certificate to the target client computer, perform the following, replacing <certificate> with the file path to the certificate:

sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/System. keychain <certificate>

You can use the security tool to save and restore trust settings as well. For more information on using the security command-line tool, see the security man page.

Certificate Manager in Server Admin

Mac OS X Server’s Certificate Manager is integrated into Server Admin to help you create, use, and maintain identities for SSL-enabled services.

62

Chapter 4    Enhancing Security

Page 62
Image 62
Apple 10.6 manual Certificate Manager in Server Admin, To configure clients to trust a certificate, From the command line