Currently Being ModeratedMar 13, 2012 12:51 PM (in response to rueddldueddl)
you should get a official certificate for your email service. The OD certificate is not from an official certifcate instance and therefore it can't be checked recursive to any of the official certificate instance. You can get an official certificate for free at www.startssl.com.
Currently Being ModeratedMar 13, 2012 1:04 PM (in response to Brettermeier)
I am not sure I am with you.
From what I can see startssl provides SSL certificates, but maybe I missed the crucial point on their site.
I already have a wildcard SSL certificate for the domain which is used by mail, ical, etc. in Server.app.
Can you please elaborate what kind of certificate from startssl that is not an SSL certificate like my wildcard certificate would remedy the 'trust' of the OD certificate?
Currently Being ModeratedMar 13, 2012 2:20 PM (in response to rueddldueddl)
here is what i have done to get and install an official certificate.
- At first create a new self signed root certificate with your server app. The name of the certificate should be equal to you domain name. Don't use the fqdn of your server. -> use: yourdomain.com. Then generate a CSR from the certificate and store the generated key into a file. You need the CSR to register an official certificate.
- Register yourself at your prefered certificate instance. That could be www.verisign.com, www.thawte.com or even www.startssl.com if you prefer a certificate for free. -> there you go: https://www.startssl.com/?app=11&action=true You should use the "express lane" to register and generate the certificate.
Im not sure about the exact procedure anymore but don't let startssl.com generate the key for you.
At this point startssl.com offers to upload/paste your CSR. Do that and finish the "express lane"
Starssl.com will ask you for a sub domain, you could enter "www" that means that the certificate are valid for "yourdomain.com" and "www.yourdomain.com".
-Go back to your server.app and replace your self signed root certificate with the one you got from startssl.com.
Tell your mail service to use the new certificate and restart your mail server.
Hope that helps
Currently Being ModeratedMar 13, 2012 3:13 PM (in response to Brettermeier)
thanks for your response.
What you wrote is all fine, but the steps you describe are about creating and using a signed certificate for the Mail server, i.e. SSL traffic between the mail clients and the mail server.
I have done this already with a wildcard certificate and the wildcard certificate is used by the Mail server.
My question is about OD certificates. The authentication with OD is done before the Mail server comes into play as I understand it for authentication with the server to say whether OD knows this user or not and whether the credentials are correct. Nothing happens with the Mail server up to this point.
Or are you telling me that in your environment the OD master is not using the certificate it created itself, but is instead using the certificate you created with startssl? I.e. when you go into Server.app, Hardware (your server), Settings (Edit SSL certificate), Actions, select 'Manage certificates', you no longer see the OD Intermediate Certificate and OD somehow uses your startssl certificate?
If you do still see it and OD uses it, then it's the same as for me. The OD Intermediate CA is used by OD in which case you must have 'trusted' it for each client.
This is where my question comes from - how to get OD to have a trusted, signed certificate that accepts both the FQDN as well as the servername on which the OD master is running.
Currently Being ModeratedMar 15, 2012 3:24 AM (in response to rueddldueddl)
Does anyone have any further insight to share on this please?
Everyone with an OD master must have come across this at some point unless something is wrong in my setup/understanding of how things work.
In this case I am grateful for anyone who has an OD master to explain what certificate is used by their OD master (not LDAP SSL), but the OD itself and whether they 'trust' the server for each client connecting or how they managed to get the OD master to have a valid/signed certificate.
Many thanks in advance.