Manuals / Apple / Computer Equipment / Server

Apple 10.6 manual Managing Certificates, Editing a Certificate

Models: 10.6

1 197

Download 197 pages 50.37 Kb

Page 69

7Click the Import button.

If prompted, enter the private key passphrase.

Managing Certificates

After you create and sign a certificate, you won’t do much more with it. Since certificates cannot be edited, you can either delete, replace, or revoke certificates after they are created. You cannot change certificates after a CA signs them.

If the information a certificate possesses (such as contact information) is no longer accurate, or if you believe the private key is compromised, delete the certificate.

If you have previously generated certificates for SSL, you can import them for use by services. The OpenSSL keys and certificates must be in PEM format.

If you chose custom locations for your SSL certificates with Leopard Server, you must import them into Certificate Manager if you want them to be available for services.

Custom filesystem locations for certificates cannot be managed for services using Server Admin for Mac OS X Server v10.6. To use custom file locations, you must edit the configuration files directly.

When certificates and keys are imported via Certificate Manager, they are put in the /etc/certificates/ directory. The directory contains four PEM formatted files for every identity:

ÂÂ The certificate

ÂÂ The public key ÂÂ The trust chain

ÂÂ The concatenated version of the certificate plus the trust chain (for use with some services)

Each file has the following naming convention:

<common name>.<SHA1 hash of the certificate>.<cert chain concat key>.pem

For example, the certificate for a web server at example.com might look like this:

www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem

After they are imported, Certificate Manager encrypts the files with a random passphrase. It puts the passphrase in the System keychain, and puts the resulting PEM files in /etc/certificates/.

Editing a Certificate

After you add a certificate signature, you can’t edit the certificate. You must replace it with one generated from the same private key.

Chapter 4    Enhancing Security

69

Image 69

Apple 10.6 manual Managing Certificates, Editing a Certificate

Contents

Mac OS X Server 019-1410/2009-08-15 Contents Enhancing Security Administration ToolsInstallation and Deployment Initial Server Setup Ongoing System Management Monitoring Your System Index Push Notification ServerContents What’s in This Guide About This GuideTo see the most recent server help topics Using Onscreen HelpGetting Started Document Road MapPreface About This Guide Getting Additional Information Getting Documentation UpdatesStandards System Requirements for Installing Mac OS X ServerÂÂ iCal Server What’s New in Mac OS X ServerUnderstanding Server Configuration Methods What’s New in Server AdminSnmp NFS Radius Supported StandardsSystem Overview and Supported Standards System Overview and Supported Standards Mac OS X Server’s Unix Heritage Determining Your Server Needs Planning Server UsageSetting Up a Planning Team Determining Whether to Upgrade or MigrateDetermining Services to Host on Each Server Identifying Servers to Set UpPlanning Server Usage Defining a Migration Strategy Migrating from WindowsDefining an Integration Strategy Defining Physical Infrastructure Requirements Defining Server Setup Infrastructure RequirementsSetting up basic server infrastructure Minimizing the Need to Relocate Servers After Setup Defining Backup and Restore PoliciesMaking Sure Required Server Hardware Is Available Understanding Backup and Restore Policies Understanding Backup Types Understanding Restores Understanding Backup SchedulingDefining a Backup Verification Mechanism Other Backup Policy ConsiderationsUnderstanding Time Machine as a Server Backup Tool Command-Line Backup and Restoration ToolsÂÂ Wiki ÂÂ Xgrid ÂÂ Remote Access Settings ÂÂ Software UpdateOpening and Authenticating in Server Admin Server AdminM N Server Admin InterfaceCustomizing the Server Admin Environment Server Assistant is used for Server AssistantWorkgroup Manager Server PreferencesWorkgroup Manager Interface Customizing the Workgroup Manager Environment Server MonitorFor additional information, see Server Monitor Help ICal Service Utility Interface ICal Service UtilityMedia Streaming Management System Image ManagementCommand-Line Tools RAID AdminServer Status Widget Podcast Capture, Composer, and Producer Xgrid AdminApple Remote Desktop About Physical Security Enhancing SecurityAbout Network Security Firewalls and Packet FiltersNetwork DMZ MAC Filtering VLANsPayload Encryption Transport EncryptionAbout File Security File and Folder PermissionsAbout File Encryption Secure Delete About Authentication and AuthorizationÂÂ Secure Shell SSH You have several options for authenticating usersSingle Sign-On Public and Private Keys About Certificates, SSL, and Public Key InfrastructureAbout Certificate Authorities CAs CertificatesAbout Identities About Self-Signed CertificatesAbout Intermediate Trust Certificate Manager in Server Admin To configure clients to trust a certificateFrom the command line Enhancing Security Readying Certificates Requesting a Certificate from a Certificate Authority Creating a Self-Signed CertificateTo create a self-signed certificate To request a signed certificateTo create a CA Creating a Certificate AuthorityEnhancing Security Importing a Certificate Identity Using a CA to Create a Certificate for Someone ElseTo create a certificate for someone else To import an existing OpenSSL style certificateEditing a Certificate Managing CertificatesDeleting a Certificate Distributing a CA Public Certificate to ClientsTo distribute your certificate to your clients To delete a certificateRenewing an Expiring Certificate Using CertificatesReplacing an Existing Certificate To renew an expiring certificateTo do this, run the following commands in Terminal Key-Based SSH LoginSSH and SSH Keys Generating a Key Pair for SSHKey-Based SSH with Scripting Sample Setting Administration Level Privileges Administration Level SecurityService Level Security Setting Sacl PermissionsTo set Sacl permissions for a service Security Best Practices Password Guidelines Creating Complex Passwords Installation Overview Confirm you meet the requirements Gather your information Start up the computer from an installation disk Set up the environment Start the installer Prepare the target diskGathering the Information You Need Set Up ServicesAbout the Server Install Disc Setting Up Network ServicesConnecting to the Directory During Installation SSH During InstallationPreparing an Administrator Computer Mac OS X Server Install DiscAdministration Tools CD About Starting Up for Installation To install Mac OS X Server v10.6 administration toolsBefore Starting Up Starting Up from the Install DVD To start up the computer with the installation discStarting Up from an Alternate Partition Restore the image to the alternate partition Create a restorable image of the Install DVDTo create an image of the Install DVD Prepare the disks and partitions on the target computerTo restore the image to a free volume To access the computer with Server Assistant Remotely Accessing the Install DVDTo access the computer with VNC To access the computer using Screen SharingTo access the computer with SSH Identify the target server Identifying Remote Servers When Installing Mac OS X ServerStarting Up from a NetBoot Environment Create a NetInstall image from the Install DVD Preparing Disks for Installing Mac OS X Server Start up the computer from the NetBoot server To create a NetInstall image from the Install DVDÂÂ Mac OS Extended Journaled, Case-Sensitive aka Hfsx Choosing a File SystemAbout Hard Disk Partitioning Partitioning a Disk To partition a disk using Disk UtilityAbout Creating a RAID Set So the command isYou cannot create a RAID set from the startup disk To create a RAID set using Disk UtilityDiskutil createRAID mirror setName format device device For example Installing Server Software InteractivelyTo install server software locally Installing Locally from the Installation DiscTo install on a remote server by using Server Assistant Installing Remotely with Server AssistantInstalling Remotely with Screen Sharing and VNC To change a remote computer’s startup disk Changing a Remote Computer’s Startup DiskTo use installer to install server software 105 Installing Multiple Servers Most Efficient Methods of InstallationMore Interactive Methods of Installation Upgrading a Computer from Mac OS X to Mac OS X Server How to Keep CurrentPostponing Server Setup Following Installation To postpone setting up Mac OS X ServerInformation You Need Connecting to the Network During Initial Server Setup Configuring Servers with Multiple Ethernet PortsAbout Settings Established During Initial Server Setup ÂÂ Create Users and Groups Specifying Initial Open Directory UsageNot Changing Directory Usage When Upgrading ÂÂ Configure ManuallyÂÂ Import Users and Groups Binding a Server to Multiple Directory Servers Setting Up a Server as a Standalone ServerTo interactively connect to an additional directory server Setting up Servers InteractivelySelect the target servers from the configuration list To set up servers interactivelyUsing Automatic Server Setup Creating and Saving Setup Data To create a setup data file How a Server Searches for Saved Setup Data Files Using Encryption with Setup Data FilesSetting Up Servers Automatically Using Data Saved in a File Create the saved setup folder on the remote server To use setup data from a file remotelyRestart the remote server To set the server serial numberHandling Setup Errors Adding Services to the Server View Setting Up ServicesTo change services to administer From the command-lineSetting Up User Management Setting Up Open DirectorySetting Up All Other Services To set up a user accountSetting Up an Administrator Computer Computers You Can Use to Administer a ServerInsert the Mac OS X Server Admin Tools CD Using a Non-Mac OS X Computer for AdministrationWorking with Pre-v10.6 Computers from v10.6 Servers Using the Administration ToolsPorts Open By Default Ports Used for AdministrationAdding and Removing Servers in Server Admin Server Admin BasicsGrouping Servers Using Smart Groups Grouping Servers ManuallyTo create a server group To create a server smart group Working with Settings for a Specific ServerToolbar button Shows 132 ÂÂ Directory Service ÂÂ Firewall ÂÂ Mobile Access ÂÂ NetBootUnderstanding Mac OS X Server Names Dhcp Directory Service and KerberosMobile Access Proxy Services NetBootFirewall Web ÂÂ MySQLCertificates for Web and Wiki Services MySQLWiki 138 ÂÂ Certificates for collaboration services Certificates for Mail ServicesImap and POP Mailing ListAddress Book Service ICal ServiceIChat Service Certificates for Collaboration Services To change the DNS name of the Podcast Producer computer To change the IP address of the Podcast Producer computerPrint Software Update ServerPush Notification XgridChanging the IP Address of a Server Changing the Server’s DNS Name After SetupChanging the Server’s Computer Name and the Local Hostname To change the DNS nameAdministering Services From the command lineTo change computer name and local hostname Importing and Exporting Service Settings Adding and Removing Services in Server AdminTo add or remove a service in Server Admin To export service settingsTo configure service access SACLs Controlling Access to ServicesManaging Sharing Using SSL for Remote Server AdministrationTiered Administration Permissions Defining Administrative Permissions Workgroup Manager BasicsTo assign permissions Administering Accounts Opening and Authenticating in Workgroup ManagerWorking with Users and Groups 152 Defining Managed Preferences To display the inspector Working with Directory DataCritical Configuration and Data Files Service Configuration AssistantsAssistants are available for the following services GeneralMail Service Firewall ServiceIChat Server Mail-POP/IMAP Server DovecotNAT Service MySQL ServiceNotifications OpenDirectory ServiceQuickTime Streaming Server Tomcat App ServerWeb Service Improving Service AvailabilityEliminating Single Points of Failure Wiki and Blog ServerUsing Xserve for High Availability Using Backup Power Setting Up Your Server for Automatic RestartUsing UPS with Xserve Following is the Energy Saver panel of System PreferencesEnsuring Proper Operational Conditions To enable automatic restartProviding Open Directory Replication Automatic restart options areLink Aggregation Link Aggregation Scenarios About the Link Aggregation Control Protocol LacpComputer to Switch To create a link aggregate Setting Up Link Aggregation in Mac OS X ServerTo monitor the status of a link aggregate Monitoring Link Aggregation StatusLoad Balancing ÂÂ mDNSresponder local network service discovery process Using launchd for Daemon ControlDaemon Overview Viewing Running Daemons170 Planning Monitoring Response Planning a Monitoring PolicyUsing with Server Status Widget Using Server MonitorTo configure the Server Status widget Using RAID Admin for Server Monitoring Using Console for Server MonitoringUsing Disk Monitoring Tools Using Network Monitoring Tools Monitoring Server Status Overviews Using Server Admin Using Server Status Notification in Server AdminTo set a notification To see a status overview for one serverFollowing shows a sample Overview pane for a single server Using Remote Kernel Core Dumps177 Setting up a core dump server Setting Up a Core Dump ServerSetting Up a Core Dump Client Setting up a core dump clientRestart the computer for the settings to take effect About Simple Network Management Protocol Snmp Configuring Common Core Dump OptionsConfiguring snmpd To enable SnmpEnabling Snmp reporting To enable and configure Snmp Customize data Restart snmpd to take changes About Notification and Event Monitoring Daemons Additional Information about SnmpTools to Use with Snmp There are two main notification daemons syslogd and emond Syslog LoggingSyslog Configuration File Directory Service Debug LoggingOpen Directory Logging To start debugging at startupAdditional Monitoring Aids To enable client-side loggingAFP Logging To run slapd in debugging modeAbout Push Notification Server Push Notification ServerStarting and Stopping Push Notification To enable Push NotificationChanging a Service’s Push Notification Server Click Save, then restart the serviceTo change the existing push notification server Index 192 193 194 195 196 197