Creating a Certificate Authority, To create a CA | Apple 10.6

4Click the Action button below the certificates list and choose “Generate Certificate

Signing Request (CSR).”

Certificate manager creates the signing request and shows the ASCII text version in the sheet.

5Click Save to save the CSR to the disk.

Your CA will have instructions on how to transfer the CSR to the signer. Some CAs require you to use a web interface; others require sending the CSR in the body of a mail message. Follow the instructions given by the CA.

The CA will return a newly signed certificate, which replaces the one you generated. For instructions on what to do now with your newly signed certificate, see “Replacing an Existing Certificate” on page 71.

Creating a Certificate Authority

To sign another user’s certificate, you must create a CA. Sometimes a CA certificate is referred to as a root or anchor certificate. By signing a certificate with the root certificate, you become the trusted third party in that certificate’s transactions, vouching for the identity of the certificate holder.

If you are a large organization, you might decide to issue or sign certificates for people in your organization to use the security benefits of certificates. However, external organizations might not trust or recognize your signing authority.

To create a CA:

1Start Keychain Access.

Keychain Access is found in the /Applications/Utilities/ directory.

2In the Keychain Access menu, select Certificate Assistant > Create a Certificate

Authority.

The Certificate Assistant starts. It will guide you through the process of making the CA.

3Choose to create a Self Signed Root CA.

4Provide the Certificate Assistant with the requested information and click Continue.

You need the following information to create a CA: ÂÂ An email address

ÂÂ The name of the issuing authority (you or your organization)

You also decide if you want to override the defaults and whether to make this CA the organization’s default CA. If you do not have a default CA for the organization, allow the Certificate Assistant to make this CA the default.

In most circumstances, do not override the defaults. If you do not override the defaults, skip to step 16.

66

Chapter 4    Enhancing Security

Image 66

Apple 10.6 manual Creating a Certificate Authority, To create a CA

Contents

Mac OS X Server 019-1410/2009-08-15 Contents Administration Tools Enhancing Security Installation and Deployment Initial Server Setup Ongoing System Management Monitoring Your System Push Notification Server Index Contents About This Guide What’s in This Guide Using Onscreen Help To see the most recent server help topics Document Road Map Getting Started Preface About This Guide Getting Documentation Updates Getting Additional Information System Requirements for Installing Mac OS X Server Standards What’s New in Mac OS X Server ÂÂ iCal Server What’s New in Server Admin Understanding Server Configuration Methods Snmp NFS Supported Standards Radius System Overview and Supported Standards System Overview and Supported Standards Mac OS X Server’s Unix Heritage Planning Server Usage Determining Your Server Needs Determining Whether to Upgrade or Migrate Setting Up a Planning Team Identifying Servers to Set Up Determining Services to Host on Each Server Planning Server Usage Defining a Migration Strategy Migrating from WindowsDefining an Integration Strategy Defining Server Setup Infrastructure Requirements Defining Physical Infrastructure Requirements Setting up basic server infrastructure Minimizing the Need to Relocate Servers After Setup Defining Backup and Restore PoliciesMaking Sure Required Server Hardware Is Available Understanding Backup and Restore Policies Understanding Backup Types Understanding Backup Scheduling Understanding Restores Other Backup Policy Considerations Defining a Backup Verification Mechanism Command-Line Backup and Restoration Tools Understanding Time Machine as a Server Backup Tool ÂÂ Remote Access Settings ÂÂ Software Update ÂÂ Wiki ÂÂ Xgrid Server Admin Opening and Authenticating in Server Admin Server Admin Interface M N Customizing the Server Admin Environment Server Assistant Server Assistant is used for Server Preferences Workgroup Manager Workgroup Manager Interface Server Monitor Customizing the Workgroup Manager Environment For additional information, see Server Monitor Help ICal Service Utility ICal Service Utility Interface System Image Management Media Streaming Management Command-Line Tools RAID AdminServer Status Widget Xgrid Admin Podcast Capture, Composer, and Producer Apple Remote Desktop Enhancing Security About Physical Security About Network Security Firewalls and Packet FiltersNetwork DMZ VLANs MAC Filtering Transport Encryption Payload Encryption About File Security File and Folder PermissionsAbout File Encryption About Authentication and Authorization Secure Delete You have several options for authenticating users ÂÂ Secure Shell SSH Single Sign-On About Certificates, SSL, and Public Key Infrastructure Public and Private Keys Certificates About Certificate Authorities CAs About Identities About Self-Signed CertificatesAbout Intermediate Trust Certificate Manager in Server Admin To configure clients to trust a certificateFrom the command line Enhancing Security Readying Certificates To create a self-signed certificate Creating a Self-Signed CertificateRequesting a Certificate from a Certificate Authority To request a signed certificate Creating a Certificate Authority To create a CA Enhancing Security To create a certificate for someone else Using a CA to Create a Certificate for Someone ElseImporting a Certificate Identity To import an existing OpenSSL style certificate Managing Certificates Editing a Certificate To distribute your certificate to your clients Distributing a CA Public Certificate to ClientsDeleting a Certificate To delete a certificate Replacing an Existing Certificate Using CertificatesRenewing an Expiring Certificate To renew an expiring certificate SSH and SSH Keys Key-Based SSH LoginTo do this, run the following commands in Terminal Generating a Key Pair for SSH Key-Based SSH with Scripting Sample Administration Level Security Setting Administration Level Privileges Service Level Security Setting Sacl PermissionsTo set Sacl permissions for a service Security Best Practices Password Guidelines Creating Complex Passwords Installation Overview Confirm you meet the requirements Gather your information Start the installer Set up the environment Start up the computer from an installation disk Prepare the target disk Set Up Services Gathering the Information You Need Connecting to the Directory During Installation Setting Up Network ServicesAbout the Server Install Disc SSH During Installation Preparing an Administrator Computer Mac OS X Server Install DiscAdministration Tools CD About Starting Up for Installation To install Mac OS X Server v10.6 administration toolsBefore Starting Up Starting Up from the Install DVD To start up the computer with the installation discStarting Up from an Alternate Partition To create an image of the Install DVD Create a restorable image of the Install DVD Restore the image to the alternate partition Prepare the disks and partitions on the target computer To restore the image to a free volume Remotely Accessing the Install DVD To access the computer with Server Assistant To access the computer with VNC To access the computer using Screen SharingTo access the computer with SSH Identifying Remote Servers When Installing Mac OS X Server Identify the target server Starting Up from a NetBoot Environment Start up the computer from the NetBoot server Preparing Disks for Installing Mac OS X Server Create a NetInstall image from the Install DVD To create a NetInstall image from the Install DVD Choosing a File System ÂÂ Mac OS Extended Journaled, Case-Sensitive aka Hfsx About Hard Disk Partitioning To partition a disk using Disk Utility Partitioning a Disk So the command is About Creating a RAID Set To create a RAID set using Disk Utility You cannot create a RAID set from the startup disk Diskutil createRAID mirror setName format device device Installing Server Software Interactively For example Installing Locally from the Installation Disc To install server software locally Installing Remotely with Server Assistant To install on a remote server by using Server Assistant Installing Remotely with Screen Sharing and VNC Changing a Remote Computer’s Startup Disk To change a remote computer’s startup disk To use installer to install server software 105 Installing Multiple Servers Most Efficient Methods of InstallationMore Interactive Methods of Installation How to Keep Current Upgrading a Computer from Mac OS X to Mac OS X Server Postponing Server Setup Following Installation To postpone setting up Mac OS X ServerInformation You Need Connecting to the Network During Initial Server Setup Configuring Servers with Multiple Ethernet PortsAbout Settings Established During Initial Server Setup Specifying Initial Open Directory Usage ÂÂ Create Users and Groups Not Changing Directory Usage When Upgrading ÂÂ Configure ManuallyÂÂ Import Users and Groups Setting Up a Server as a Standalone Server Binding a Server to Multiple Directory Servers Setting up Servers Interactively To interactively connect to an additional directory server To set up servers interactively Select the target servers from the configuration list Using Automatic Server Setup Creating and Saving Setup Data To create a setup data file Using Encryption with Setup Data Files How a Server Searches for Saved Setup Data Files Setting Up Servers Automatically Using Data Saved in a File Restart the remote server To use setup data from a file remotelyCreate the saved setup folder on the remote server To set the server serial number Handling Setup Errors To change services to administer Setting Up ServicesAdding Services to the Server View From the command-line Setting Up All Other Services Setting Up Open DirectorySetting Up User Management To set up a user account Computers You Can Use to Administer a Server Setting Up an Administrator Computer Using a Non-Mac OS X Computer for Administration Insert the Mac OS X Server Admin Tools CD Using the Administration Tools Working with Pre-v10.6 Computers from v10.6 Servers Ports Used for Administration Ports Open By Default Server Admin Basics Adding and Removing Servers in Server Admin Grouping Servers Using Smart Groups Grouping Servers ManuallyTo create a server group Working with Settings for a Specific Server To create a server smart group Toolbar button Shows 132 ÂÂ Directory Service ÂÂ Firewall ÂÂ Mobile Access ÂÂ NetBootUnderstanding Mac OS X Server Names Directory Service and Kerberos Dhcp Mobile Access Proxy Services NetBootFirewall ÂÂ MySQL Web Certificates for Web and Wiki Services MySQLWiki 138 Imap and POP Certificates for Mail ServicesÂÂ Certificates for collaboration services Mailing List Address Book Service ICal ServiceIChat Service Certificates for Collaboration Services To change the IP address of the Podcast Producer computer To change the DNS name of the Podcast Producer computer Push Notification Software Update ServerPrint Xgrid Changing the Server’s Computer Name and the Local Hostname Changing the Server’s DNS Name After SetupChanging the IP Address of a Server To change the DNS name Administering Services From the command lineTo change computer name and local hostname To add or remove a service in Server Admin Adding and Removing Services in Server AdminImporting and Exporting Service Settings To export service settings Controlling Access to Services To configure service access SACLs Using SSL for Remote Server Administration Managing Sharing Tiered Administration Permissions Defining Administrative Permissions Workgroup Manager BasicsTo assign permissions Administering Accounts Opening and Authenticating in Workgroup ManagerWorking with Users and Groups 152 Defining Managed Preferences Working with Directory Data To display the inspector Assistants are available for the following services Service Configuration AssistantsCritical Configuration and Data Files General IChat Server Firewall ServiceMail Service Mail-POP/IMAP Server Dovecot MySQL Service NAT Service QuickTime Streaming Server OpenDirectory ServiceNotifications Tomcat App Server Eliminating Single Points of Failure Improving Service AvailabilityWeb Service Wiki and Blog Server Using Xserve for High Availability Using UPS with Xserve Setting Up Your Server for Automatic RestartUsing Backup Power Following is the Energy Saver panel of System Preferences Providing Open Directory Replication To enable automatic restartEnsuring Proper Operational Conditions Automatic restart options are Link Aggregation About the Link Aggregation Control Protocol Lacp Link Aggregation Scenarios Computer to Switch Setting Up Link Aggregation in Mac OS X Server To create a link aggregate Monitoring Link Aggregation Status To monitor the status of a link aggregate Load Balancing Daemon Overview Using launchd for Daemon ControlÂÂ mDNSresponder local network service discovery process Viewing Running Daemons 170 Planning a Monitoring Policy Planning Monitoring Response Using with Server Status Widget Using Server MonitorTo configure the Server Status widget Using RAID Admin for Server Monitoring Using Console for Server MonitoringUsing Disk Monitoring Tools Using Network Monitoring Tools To set a notification Using Server Status Notification in Server AdminMonitoring Server Status Overviews Using Server Admin To see a status overview for one server Using Remote Kernel Core Dumps Following shows a sample Overview pane for a single server 177 Setting Up a Core Dump Server Setting up a core dump server Setting Up a Core Dump Client Setting up a core dump clientRestart the computer for the settings to take effect Configuring Common Core Dump Options About Simple Network Management Protocol Snmp Configuring snmpd To enable SnmpEnabling Snmp reporting To enable and configure Snmp Customize data Restart snmpd to take changes About Notification and Event Monitoring Daemons Additional Information about SnmpTools to Use with Snmp There are two main notification daemons syslogd and emond Logging Syslog Open Directory Logging Directory Service Debug LoggingSyslog Configuration File To start debugging at startup AFP Logging To enable client-side loggingAdditional Monitoring Aids To run slapd in debugging mode Push Notification Server About Push Notification Server To enable Push Notification Starting and Stopping Push Notification Changing a Service’s Push Notification Server Click Save, then restart the serviceTo change the existing push notification server Index 192 193 194 195 196 197