For instructions on how to do this, see “Replacing an Existing Certificate” on page 71.

Distributing a CA Public Certificate to Clients

If you’re using self-signed certificates, a warning appears in most user applications saying that the CA is not recognized. Other software, such as the LDAP client, refuses to use SSL if the server’s CA is unknown.

Mac OS X Server ships only with certificates from well-known commercial CAs. To prevent this warning, your CA certificate must be distributed to every client computer that connects to the secure server.

To distribute your certificate to your clients:

1Copy the self-signed CA certificate (the file named ca.crt) onto each client computer.

This is preferably distributed using nonrewritable media, such as a CD-R. Using nonrewritable media prevents the certificate from being corrupted.

2Open the Keychain Access tool by double-clicking the ca.crt icon where the certificate was copied onto the client computer.

3Drag the certificate to the System keychain using Keychain Access.

Authenticate as an administrator, if requested.

4Double-click the certificate to get the certificate details.

5In the details window, click the Trust disclosure triangle.

6From the pop-up menu next to “When using this certificate,” select “Always Trust.” You have now added trust to this certificate, regardless of who it is signed by.

From the command line

After copying the certificate to the target client computer, perform the following where <certificate> is the file path to the certificate:

sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/System. keychain <certificate>

You can use the security tool to save and restore trust settings as well. For more information on using the security tool, see the security man page.

Deleting a Certificate

When a certificate has expired or been compromised, you must delete it.

To delete a certificate:

1In Server Admin, select the server that has services that support SSL.

2Click Certificates.

3Select the Certificate Identity to delete.

4Click the Remove (-) button and select Delete.

70

Chapter 4    Enhancing Security

Page 69 Page 71
Page 70
Image 70
Apple 10.6 manual Distributing a CA Public Certificate to Clients, Deleting a Certificate, To delete a certificate
Page 69 Page 71
Top Page Image Contents