14 Replies Latest reply: Sep 14, 2013 5:10 AM by FromOZ
dgloose Level 1 Level 1 (0 points)

After creating a self-signed certificate I do not see the option to Generate CSR on the action pop-up menu.  I have tried to follow every direction I could find but none seem to work.


Mac mini, OS X Server
  • 1. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    FromOZ Level 2 Level 2 (405 points)

    If you were starting from scratch with server install you would have had to delete the original certificate which was automatically created during server install.

     

    The next step would be to create a new self-signed certificate by choosing the '+' button in the Manage Certificates screen and choosing 'Create a Certificate Identity...".

     

    This new certificate has to have the host name of server, Identity Type = Self Signed Root, Certificate Type = SSL Server. There are other screens where you fill in email & address details etc.

     

    Then there is question "Server wants to export key [your host name] from your keychain" which must be answered as Allow.

     

    Finally the new certificate should be selected in Manage Certificates window and in the Action (gear icon) pop-up menu choose 'Generate Certificate Signing Request (CSR)...'

     

    Is this the sequence you are doing?

  • 2. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    dgloose Level 1 Level 1 (0 points)

    That is exactly the sequence I have followed but it still does not allow me the option to generate the CSR.

  • 3. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    FromOZ Level 2 Level 2 (405 points)

    Can I point you to this book

     

    Apple Pro Training Series: OS X Server Essentials: Using and Supporting OS X Server on Mountain Lion

     

    http://www.amazon.com/Apple-Pro-Training-Series-Essentials/dp/0321887336/ref=pd_ bxgy_b_img_y

     

    It's good value to have overall if you are running OS X Server.

     

    Lesson 5 'Configuring SSL Certificates' goes through it step by step including screenshots.

  • 4. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    icouto Level 1 Level 1 (0 points)

    I'm having the same problem - there seems to be no "Generate Certificate Signing Request" command in the action menu in Mountain Lion Server.

     

    I can generate the self-signed certificate, but then there doesn't seem to be a way of "generating a CSR" from it, as the documentation seems to imply we should be able to. The Help files seem to have been written for Lion Server, and the instructions there don't apply. I've searched the Apple Communities, and googled 'til my fingers hurt, but can't find a hint anywhere on how to do it.

     

    Can a kind soul provide us with a hint that does not require us to fork out $45 on a book?

  • 5. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    FromOZ Level 2 Level 2 (405 points)

    Going from the book I have for ML...

     

    You need to create a Certificate Identity - now I don't know if this matches what you have done already but for the sake of following the procedure (which I will grant you is d**m convoluted) let's do what the book says.

     

    1. In Server | Certificates create a new self-signed certificate by clicking the '+' at bottom of screen and choose 'Create a Certificate Identity...'
    2. Fill out the details - the server host name must be a legal host name on the Internet, not an internal DNS name. So mine is 'server.MyInternetDomain.com' not 'server.local' or something.
    3. Identity type must be Self Signed Root
    4. In conclusion pane don't worry about warning message saying the certificate has not been verified by third party'
    5. Click Done to close Certificate Assistant
    6. When Server app window comes up with 'Server want to export key [your host name] from your keychain' click Allow.
    7. Then you should have a certificate in the certificate window
    8. Select it, click disclosure to check details
    9. Click Action (gear icon) pop-up menu and choose 'Generate Certificate Signing Request (CSR)'
    10. You should see dialog box with text - click Save... to save it somewhere (desktop)
    11. Send the CSR to the certificate auth.
  • 6. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    FromOZ Level 2 Level 2 (405 points)

    p.s. I am loathe to play with this by creating a new certificate and possibly stuffing up my current valid one (signed by signing authority).

     

    I can say though that I followed the instructions in the book I have and got my cerficate signed and then imported the signed one.

     

    Try steps above and advise how you went.

  • 7. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    icouto Level 1 Level 1 (0 points)

    FromOZ, thank you for the instructions. As I suspected, this is -exactly- what I'm already doing. The issue is that when I reach STEP 9 in your instructions, and click on the Action menu, there is NO option to 'Generate Certificate Signing Request (CSR)', as described. The only options I get, with the self-signed certificate selected, are: 'View Certificate...' , a divider, and 'Show All Certificates' (already ticked).

     

    Elsewhere on the 'net I saw a post where a user described that after getting the self-signed certificate, they selected 'View Certificate...', and then in the certificate details pane, clicked on the 'Renew...' button. Apparently, this was supposed to turn my self-signed certificate into a 'pending' certificate, which I should be able to double-click t get the CSR. Unfortunately, clicking the 'Renew...' button, in my case, does nothing of the sort - it 'resets' the certificate data, including not just the date, but any other customized setting I might have configured (for instance, it changes the country code in the certificate from AU to US, and deletes any extra domain names I might have entered for a SAN/UCC certificate).

     

    I'm really stuck. Any suggestions would be appreciated.

  • 8. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    FromOZ Level 2 Level 2 (405 points)

    I think the books and documentation — even the book I got — do not give the correct instructions.

     

    I'm annoyed I didn't document this when I did it but I was pushing to get my server fully up and running. When I look at it and think it through it is obvious.

     

    Ahhhh — documentation, the bane of IT staff.

     

    This is what I believe has to be done. You don't create a self signed certificate. You use the option 'Get a Trusted Certificate...' in the certificates part of server admin.

     

    When you do this it brings up a dialog box where you type in the host name, again forgive me if I state the obvious but (in case others read this post) this host name:

     

    • Must exist (internal and Internet) before requesting the certificate
    • The authoritative Internet DNS server for your domain must have a record for this host name and it must point to the external IP of your server.
    • If you are hosting internal DNS for your LAN then there should be a DNS record there also.
    • The complete FQDN of the machine should be the host name of your server (e.g. mine is 'server') plus the domain name (e.g. 'mydomain.com') so server.mydomain.com.
    • If you have setup your server DNS properly then for LAN (internal) name resolution your (internal) DNS server should be answering queries for domain 'mydomain.com'.

     

    So the steps:

     

    1. Load Server app
    2. Open Keychain Access and look in Keychain — 'System' and Category — Keys. Make a note of what keys are listed, you will check back here later.
    3. Go to Server | Certificates
    4. Click on '+' and choose 'Get a Trusted Certificate...'
    5. This will bring up a dialog box which says basically that you are going to create and submit a Certificate Signing Request. Click 'Next'
    6. The next screen has fields for host name which — if you have internal DNS setup right and hostname of machine correct — you can pick from drop down. Then you provide contact details, you must put real working data in there or else certificate authority may reject your certificate request.
    7. Let's assume for example case that you fill in server.mydomain.com for the host name plus valid details. You then click next and you will see a screen with certificate request.... save the text block into a file with extension .CSR. Click 'Finish'. (You can also save the CSR by viewing the certificate (action gear - View Certificate Signing Request).
    8. You will now see a greyed out certificate for the host name saying 'Pending'.
    9. If you quickly look back at Keychain you will now likely see a new key 'server.mydomain.com' (if one was not there before). When you created the trusted certificate request OS X made a new private key which it uses to cryptographically sign (authenticate) things including the certficate signing request.
    10. The next part depends on the certificate signing company you use to get a signed certificate — essentially you give them the document (certificate signing request) cryptographically signed by your (public) key and they cryptographically sign and return it to you. You typically will get the certificate in an email between a 'begin - end certificate block.
    11. Save this to a file with extension .CRT, save to desktop is easiest to then drag in step 13.
    12. Go back to Certificates
    13. Open the pending certificate by clicking on the action gear and choosing View Certificate Signing Request.
    14. Drag the signed certificate into the dialog box where it says 'Certificate Files' and click 'Done'.

     

    You should now have a signed valid certificate. If you go into the Keychain Access app again you will now see that the private key for your hostname now has a disclosure triangle - expand it and you will see your new certificate attached.

     

    You can check your certificate by going to this handy website — http://sslchecker.com/sslchecker. Note for the port number they default to 443 (SSL web) but if you are not running a secure website but just using this for email then you will need to enter say port 993 (Secure IMAP)

     

    Note also that some cheaper SSL providers don't have root level keysigning so you will need to install an intermediate certificate — see websites of providers.

     

    And that should be it — pls note I did not do the process fully live (because I would have had to replace my working certificate) but it should work OK. Again annoying that the documentation on the web (and the book!) does not describe it properly.

  • 9. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    FromOZ Level 2 Level 2 (405 points)

    p.s. Please advise if this works for you so others can use solution

  • 10. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    icouto Level 1 Level 1 (0 points)

    FromOZ, thank you for your comprehensive answer. It is important to note that the certificate that is issued by following this procedure is a certificate for a single domain. It is also important to note that each certificate must be connected to a unique IP address that means that if you are running multiple sites or multiple services on the same machine, and you want them all covered by SSL, without needing to allocate a different IP for every site and service, then you will need one of these two kinds of 'special' SSL certificates:

     

    1) SAN/UCC Certificate:

    This certificate allows you to cover more than one domain with a single certificate. Each domain has to be specifically listed in the certificate, and the certificate will only cover those domains listed. For instance: you can get a single certificate that covers a handful of websites - each with a different domain address - all being served from the same machine, and the same IP address. You can also use this type of certificate to cover a domain with several specific sub-domains. This is extremely useful when you want to setup multiple services for a domain with different URLs, all being served from the same IP address (the usual setup when your server is public, and not just on a LAN) - for instance, when you want.your certificate for that IP address to cover "mycompany.com" as we'll as "mail.mycompany.com", "calendar.mycompany.com", "www.mycompany.com" and "FTP.mycompany.com".

     

    It is also important to note that SAN certificates cover a limited, pre-defined number of domains/sub-domains, and because of that tend to be cheaper than then wildcard certificates described below.

     

    2) Wildcard Certificate:

    This certificate allows you to cover an entire domain, including all sub-domains within it. Rather than being a certificate for "mycompany.com", it is a certificate for "*.mycompany.com" - note the asterix. This means that you can add and remove sub-domains to your heart's content, without ever having to bother about changing or re-issuing your certificate.

     

    The procedure you described does not allow the user to create either of these types of certificates. The possible solutions and problems encountered are:

     

    A) You can create a CSR directly with the command-line utility "OpenSSL". The easiest way to do this - and it turns out to be actually pretty easy - is to create a config file, and then run OpenSSL with the pre-loaded config. Google is your friend here if you want to try this out.

     

    The problem with this solution, however, is that once a certificate is created OUTSIDE Server app, there are a myriad of problems with getting it imported and working with all your services. When the certificate is created outside Server - even if it is created by Keychain directly - it does not put all the files with all the right permissions in all the right places that Server expects. In ALL reports I've read - including all discussions here - people simply give up, and get Server to create a new CSR.

     

    B) It is possible and quite simple to create both these types of certificates as self-signed certificates: in Server itself. In Server app, in Certificates click the "+" button, select "Create a Certificate Identity", and in the dialogue box that comes up, tick "Let me override defaults", in order to have access to adding extra domains or wildcard to your certificate. There are other discussions here where users have described quite comprehensively how to do that, so I won't repeat it here.

     

    The problem with this solution is that there does not seem to be a way to get a CSR from your self-signed certificate anymore - which is what I wanted to do...

  • 11. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    FromOZ Level 2 Level 2 (405 points)

    I believe it's still possible, Apple has changed (degraded) the UI in server app but it is only a graphical front-end to the underlying *nix platform.

     

    The other thing to remember is that it is the private/public key set that creates certificates, not the other way round. In the server app it talks about creating certificates but doesn't mention that it is the key that gets made first and which creates/signs certificate(s).

     

    Try this, make the self signed cert in server app, make it wildcard or otherwise, export it so it is placed in /etc/certificates, then in keychain you will see the key + cert. In keychain you can request to create a CSR, do that get it signed, get public certificate and you can then attach it back in server app.

     

    In the server app you can also import the whole thing from scratch  — key, certificate & intermediate certificate — to get a new certificate.

     

    I believe you should be able to get what you want. I'm not in front of computer so can't test — let us know how you go.

  • 12. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    icouto Level 1 Level 1 (0 points)

    FromOZ, thank you for your assistance. Once you create the self-signed certificate in Server app, it already appears in Keychain - no need to export. The problem is that there is no way to create a CSR from Keychain, either....

     

    It is possible to create a CSR from the command line - using OpenSSL - but there are huge problems with trying to later import trusted certificates created this way into Server app.

  • 13. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    icouto Level 1 Level 1 (0 points)

    I have obtained official confirmation from Apple that the current version of OS X Server - 10.8.4 - no longer has the "Generate a Certificate Signing Request" command in the Action menu. The Help and online docs are outdated and misleading. The current options for creation of a certificate signing request in OS X Server are:

     

    1) Single-Domain Certificate:

    If you want a simole certificate that secures only a single fully-qualified domain name, you can use the "Get a Trusted Certificate..." command from the "+" menu in the Certificates pane of Server app.

     

    2) Wildcard Certificate:

    If you want a wildcard certificate - ie., a certificate for "*.mydomain.com" - which will cover a domain and all of its sub-domains, you will have to use the command line (Terminal app) to create the CSR. Instructions for generating the CSR and importing the trusted certificate into your Server can be found at the end of the discussion here:

     

    https://discussions.apple.com/thread/4387666?start=15

     

    3) Multi-Domain (SAN/UCC) Certificate:

    A SAN certificate can cover a specified number of fully-qualified domain names. Unlike the wildcard certificate, all the domain names that the certificate covers must be specified in the certificate itself. This is a cheaper alternative to the wildcard certificate, which is quite useful when you have a small number of websites or sub-domains to cover. To generate a CSR for a SAN certificate, you will have to use the command line (Terminal app), with a special configuration file that you will have to prepare beforehand. Easy-to-follow instructions can be found in this post:

     

    http://langui.sh/2009/02/27/creating-a-subjectaltname-sanucc-csr/

     

    There are many companies that offer wildcard and SAN certificates at very competitive prices. StartSSL is a company that offers excellent service and support, and they are currently offering wildcard certificates for $59.

     

    http://www.startssl.com/

     

    I hope this information helps others.

  • 14. Re: Why do I not see the option to Generate Certificate Signing Request (CSR) on the Action pop-up menu in order to obtain a trusted certificate?
    FromOZ Level 2 Level 2 (405 points)

    That's good information icouto — thanks for posting. I hope Apple is nice to us and updates/improves the server app UI to support the full requirement for certificates.

     

    I think anyone arriving at this thread will be able to get a good understanding of what has happened with the current version of server app and how to organise certificates.