Using a CA to Create a Certificate for Someone Else | Apple 10.6

Using a CA to Create a Certificate for Someone Else

You can use your CA certificate to issue a certificate to someone else. By doing so you are stating you want to be a trusted party that can certify the identity of the certificate holder.

Before you can create a certificate for someone, that person must generate a CSR. The user can use the Certificate Assistant to generate the CSR and mail the request to you. You then use the CSR’s text to make the certificate.

To create a certificate for someone else:

1Start Keychain Access.

Keychain Access is found in the /Applications/Utilities/ directory.

2In the Keychain Access menu, select Certificate Assistant > Create a Certificate for Someone Else as a Certificate Signing Authority.

The Certificate Assistant starts, and guides you through the process of making the certificate.

3Drag the CSR and drop it on the target area.

4Choose the CA that is the issuer and sign the request. You can choose to override the request defaults.

5Click Continue.

If you override the request defaults, provide the Certificate Assistant with the requested information and click Continue.

The Certificate is now signed. The default mail application launches with the signed certificate as an attachment.

Importing a Certificate Identity

You can import a previously generated OpenSSL certificate and private key into Certificate Manager. The items are listed as available in the list of identities and are available to SSL-enabled services.

The OpenSSL keys and certificates must be in PEM format.

To import an existing OpenSSL style certificate:

1In Server Admin, select the server that has services that support SSL.

2Click Certificates.

3Click the Add (+) button and choose Import a Certificate Identity.

4Drag the PEM file containing the private key to the sheet.

5Drag the PEM file containing the public certificate to the sheet.

6If needed, drag associated nonidentity certificates to the sheet as well.

68

Chapter 4    Enhancing Security

Image 68

Apple 10.6 manual Using a CA to Create a Certificate for Someone Else, Importing a Certificate Identity

Contents

Mac OS X Server 019-1410/2009-08-15 Contents Administration Tools Enhancing Security Installation and Deployment Initial Server Setup Ongoing System Management Monitoring Your System Push Notification Server Index Contents About This Guide What’s in This Guide Using Onscreen Help To see the most recent server help topics Document Road Map Getting Started Preface About This Guide Getting Documentation Updates Getting Additional Information System Requirements for Installing Mac OS X Server Standards What’s New in Mac OS X Server ÂÂ iCal Server What’s New in Server Admin Understanding Server Configuration Methods Snmp NFS Supported Standards Radius System Overview and Supported Standards System Overview and Supported Standards Mac OS X Server’s Unix Heritage Planning Server Usage Determining Your Server Needs Determining Whether to Upgrade or Migrate Setting Up a Planning Team Identifying Servers to Set Up Determining Services to Host on Each Server Planning Server Usage Defining an Integration Strategy Defining a Migration StrategyMigrating from Windows Defining Server Setup Infrastructure Requirements Defining Physical Infrastructure Requirements Setting up basic server infrastructure Making Sure Required Server Hardware Is Available Minimizing the Need to Relocate Servers After SetupDefining Backup and Restore Policies Understanding Backup and Restore Policies Understanding Backup Types Understanding Backup Scheduling Understanding Restores Other Backup Policy Considerations Defining a Backup Verification Mechanism Command-Line Backup and Restoration Tools Understanding Time Machine as a Server Backup Tool ÂÂ Remote Access Settings ÂÂ Software Update ÂÂ Wiki ÂÂ Xgrid Server Admin Opening and Authenticating in Server Admin Server Admin Interface M N Customizing the Server Admin Environment Server Assistant Server Assistant is used for Server Preferences Workgroup Manager Workgroup Manager Interface Server Monitor Customizing the Workgroup Manager Environment For additional information, see Server Monitor Help ICal Service Utility ICal Service Utility Interface System Image Management Media Streaming Management Server Status Widget Command-Line ToolsRAID Admin Xgrid Admin Podcast Capture, Composer, and Producer Apple Remote Desktop Enhancing Security About Physical Security Network DMZ About Network SecurityFirewalls and Packet Filters VLANs MAC Filtering Transport Encryption Payload Encryption About File Encryption About File SecurityFile and Folder Permissions About Authentication and Authorization Secure Delete You have several options for authenticating users ÂÂ Secure Shell SSH Single Sign-On About Certificates, SSL, and Public Key Infrastructure Public and Private Keys Certificates About Certificate Authorities CAs About Intermediate Trust About IdentitiesAbout Self-Signed Certificates From the command line Certificate Manager in Server AdminTo configure clients to trust a certificate Enhancing Security Readying Certificates Creating a Self-Signed Certificate Requesting a Certificate from a Certificate AuthorityTo create a self-signed certificate To request a signed certificate Creating a Certificate Authority To create a CA Enhancing Security Using a CA to Create a Certificate for Someone Else Importing a Certificate IdentityTo create a certificate for someone else To import an existing OpenSSL style certificate Managing Certificates Editing a Certificate Distributing a CA Public Certificate to Clients Deleting a CertificateTo distribute your certificate to your clients To delete a certificate Using Certificates Renewing an Expiring CertificateReplacing an Existing Certificate To renew an expiring certificate Key-Based SSH Login To do this, run the following commands in TerminalSSH and SSH Keys Generating a Key Pair for SSH Key-Based SSH with Scripting Sample Administration Level Security Setting Administration Level Privileges To set Sacl permissions for a service Service Level SecuritySetting Sacl Permissions Security Best Practices Password Guidelines Creating Complex Passwords Gather your information Installation OverviewConfirm you meet the requirements Set up the environment Start up the computer from an installation disk Start the installer Prepare the target disk Set Up Services Gathering the Information You Need Setting Up Network Services About the Server Install DiscConnecting to the Directory During Installation SSH During Installation Administration Tools CD Preparing an Administrator ComputerMac OS X Server Install Disc Before Starting Up About Starting Up for InstallationTo install Mac OS X Server v10.6 administration tools Starting Up from an Alternate Partition Starting Up from the Install DVDTo start up the computer with the installation disc Create a restorable image of the Install DVD Restore the image to the alternate partitionTo create an image of the Install DVD Prepare the disks and partitions on the target computer To restore the image to a free volume Remotely Accessing the Install DVD To access the computer with Server Assistant To access the computer with SSH To access the computer with VNCTo access the computer using Screen Sharing Identifying Remote Servers When Installing Mac OS X Server Identify the target server Starting Up from a NetBoot Environment Preparing Disks for Installing Mac OS X Server Create a NetInstall image from the Install DVD Start up the computer from the NetBoot server To create a NetInstall image from the Install DVD Choosing a File System ÂÂ Mac OS Extended Journaled, Case-Sensitive aka Hfsx About Hard Disk Partitioning To partition a disk using Disk Utility Partitioning a Disk So the command is About Creating a RAID Set To create a RAID set using Disk Utility You cannot create a RAID set from the startup disk Diskutil createRAID mirror setName format device device Installing Server Software Interactively For example Installing Locally from the Installation Disc To install server software locally Installing Remotely with Server Assistant To install on a remote server by using Server Assistant Installing Remotely with Screen Sharing and VNC Changing a Remote Computer’s Startup Disk To change a remote computer’s startup disk To use installer to install server software 105 More Interactive Methods of Installation Installing Multiple ServersMost Efficient Methods of Installation How to Keep Current Upgrading a Computer from Mac OS X to Mac OS X Server Information You Need Postponing Server Setup Following InstallationTo postpone setting up Mac OS X Server About Settings Established During Initial Server Setup Connecting to the Network During Initial Server SetupConfiguring Servers with Multiple Ethernet Ports Specifying Initial Open Directory Usage ÂÂ Create Users and Groups ÂÂ Import Users and Groups Not Changing Directory Usage When UpgradingÂÂ Configure Manually Setting Up a Server as a Standalone Server Binding a Server to Multiple Directory Servers Setting up Servers Interactively To interactively connect to an additional directory server To set up servers interactively Select the target servers from the configuration list Using Automatic Server Setup Creating and Saving Setup Data To create a setup data file Using Encryption with Setup Data Files How a Server Searches for Saved Setup Data Files Setting Up Servers Automatically Using Data Saved in a File To use setup data from a file remotely Create the saved setup folder on the remote serverRestart the remote server To set the server serial number Handling Setup Errors Setting Up Services Adding Services to the Server ViewTo change services to administer From the command-line Setting Up Open Directory Setting Up User ManagementSetting Up All Other Services To set up a user account Computers You Can Use to Administer a Server Setting Up an Administrator Computer Using a Non-Mac OS X Computer for Administration Insert the Mac OS X Server Admin Tools CD Using the Administration Tools Working with Pre-v10.6 Computers from v10.6 Servers Ports Used for Administration Ports Open By Default Server Admin Basics Adding and Removing Servers in Server Admin To create a server group Grouping Servers Using Smart GroupsGrouping Servers Manually Working with Settings for a Specific Server To create a server smart group Toolbar button Shows 132 Understanding Mac OS X Server Names ÂÂ Directory Service ÂÂ Firewall ÂÂ Mobile AccessÂÂ NetBoot Directory Service and Kerberos Dhcp Firewall Mobile Access Proxy ServicesNetBoot ÂÂ MySQL Web Wiki Certificates for Web and Wiki ServicesMySQL 138 Certificates for Mail Services ÂÂ Certificates for collaboration servicesImap and POP Mailing List IChat Service Address Book ServiceICal Service Certificates for Collaboration Services To change the IP address of the Podcast Producer computer To change the DNS name of the Podcast Producer computer Software Update Server PrintPush Notification Xgrid Changing the Server’s DNS Name After Setup Changing the IP Address of a ServerChanging the Server’s Computer Name and the Local Hostname To change the DNS name To change computer name and local hostname Administering ServicesFrom the command line Adding and Removing Services in Server Admin Importing and Exporting Service SettingsTo add or remove a service in Server Admin To export service settings Controlling Access to Services To configure service access SACLs Using SSL for Remote Server Administration Managing Sharing Tiered Administration Permissions To assign permissions Defining Administrative PermissionsWorkgroup Manager Basics Working with Users and Groups Administering AccountsOpening and Authenticating in Workgroup Manager 152 Defining Managed Preferences Working with Directory Data To display the inspector Service Configuration Assistants Critical Configuration and Data FilesAssistants are available for the following services General Firewall Service Mail ServiceIChat Server Mail-POP/IMAP Server Dovecot MySQL Service NAT Service OpenDirectory Service NotificationsQuickTime Streaming Server Tomcat App Server Improving Service Availability Web ServiceEliminating Single Points of Failure Wiki and Blog Server Using Xserve for High Availability Setting Up Your Server for Automatic Restart Using Backup PowerUsing UPS with Xserve Following is the Energy Saver panel of System Preferences To enable automatic restart Ensuring Proper Operational ConditionsProviding Open Directory Replication Automatic restart options are Link Aggregation About the Link Aggregation Control Protocol Lacp Link Aggregation Scenarios Computer to Switch Setting Up Link Aggregation in Mac OS X Server To create a link aggregate Monitoring Link Aggregation Status To monitor the status of a link aggregate Load Balancing Using launchd for Daemon Control ÂÂ mDNSresponder local network service discovery processDaemon Overview Viewing Running Daemons 170 Planning a Monitoring Policy Planning Monitoring Response To configure the Server Status widget Using with Server Status WidgetUsing Server Monitor Using Disk Monitoring Tools Using RAID Admin for Server MonitoringUsing Console for Server Monitoring Using Network Monitoring Tools Using Server Status Notification in Server Admin Monitoring Server Status Overviews Using Server AdminTo set a notification To see a status overview for one server Using Remote Kernel Core Dumps Following shows a sample Overview pane for a single server 177 Setting Up a Core Dump Server Setting up a core dump server Restart the computer for the settings to take effect Setting Up a Core Dump ClientSetting up a core dump client Configuring Common Core Dump Options About Simple Network Management Protocol Snmp Enabling Snmp reporting Configuring snmpdTo enable Snmp Restart snmpd to take changes To enable and configure Snmp Customize data Tools to Use with Snmp About Notification and Event Monitoring DaemonsAdditional Information about Snmp There are two main notification daemons syslogd and emond Logging Syslog Directory Service Debug Logging Syslog Configuration FileOpen Directory Logging To start debugging at startup To enable client-side logging Additional Monitoring AidsAFP Logging To run slapd in debugging mode Push Notification Server About Push Notification Server To enable Push Notification Starting and Stopping Push Notification To change the existing push notification server Changing a Service’s Push Notification ServerClick Save, then restart the service Index 192 193 194 195 196 197