Apple 10.6 manual Readying Certificates

When certificates and keys are imported via Certificate Manager, they are put in the /etc/certificates/ directory. The directory contains four PEM formatted files for every identity:

ÂÂ The certificate

ÂÂ The public key ÂÂ The trust chain

ÂÂ The concatenated version of the certificate plus the trust chain (for use with some services)

The certificate and trust chain are owned by the root user and the wheel group, with permissions set to 644. The public key and concatenation file are owned by the root user and the certusers group, with permissions set to 640.

Each file has the following naming convention:

<common name>.<SHA1 hash of the certificate>.<cert chain concat key>.pem

For example, the certificate for a web server at example.com might look like this:

www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem

Readying Certificates

Before you can use SSL in Mac OS X Server’s services, you must create or import certificates. You can create self-signed certificates, create certificates and then generate a Certificate Signing Request (CSR) to send to a CA, or import certificates previously created with OpenSSL.

If you have previously generated certificates for SSL, you can import them for use by Mac OS X Server services. The OpenSSL keys and certificates must be in PEM format.

Select a CA to sign your certificate request. If you don’t have a CA to sign your request, consider becoming your own CA and then import your CA certificates into the root trust database of your managed machines.

When you set up Mac OS X Server, the Server Assistant creates a self-signed certificate based on information you provided when it’s first installed. It can be used for any service that supports SSL. When your clients choose to trust the certificate, SSL connections can be used without user interaction from that point on.

This initial self-signed certificate is used by Server Admin and Server Preferences to encrypt administrative functions.