Skip navigation

HT4183: OS X Server: Configuring clients to use SSL for Open Directory binding

Learn about OS X Server: Configuring clients to use SSL for Open Directory binding

HT4183 How to make the server provide a secure (SSL) connection?

3241 Views 3 Replies Latest reply: Apr 16, 2013 9:35 AM by francisgomes RSS
francisgomes Calculating status...
Currently Being Moderated
Apr 9, 2013 6:39 AM

 

I am getting the above popup message when I try to join my Mountain Lion Server on iMAC.  Before the above screen, I get a warning window saying that the certificate is not trusted because it was self signed.

 

How do I configure my server to provide secure connection using my self signed certificate?

 

There is just one certificate in the Server.app that I used for all the services.  I had to assign the certificate to OD using custom setting.

 

I have the SSL checked against the LDAP node in the directory utility.

 

Still get the above popup.

 

Will appreciate any guidance.

 

Thanks

iMac (27-inch Late 2009), OS X Mountain Lion (10.8.3)
  • MrHoffman Level 6 Level 6 (11,695 points)

    You'll need to use the camera icon to get the picture loaded to the forums; I don't see anything shown.

     

    To get the certificate accepted by the client, you can choose to enable trust for the certificate when each client first connects (that trust setting is available in the SSL/TLS connection pop-ups), or you can establish your own certificate chain and load the root public key into each client (via provisioning or various other means) or you can purchase a certificate that already has the root public certificate in the keychains of your various devices.

     

    The first — trusting the cert — is the easiest.  On a local network with local servers, granting that trust is not usually an issue.  With remote servers, you might not be connected to the server you think you're connected to, so this can be subverted.

     

    Setting up a certificate authority (CA) is entirely feasible, but takes a little rummaging in the certificate tools, and you're then responsible for maintaining the root certificate private keys and any intermediate certificate private keys securely.  You do need a trusted way to get the root certificate public key onto each client, as that root cert is a form of a "master key" for secured network connections.)

     

    Buying the cert is cheap and easy, though you're outsourcing your security to the root certificate authority.  You're already outsourcing a whole lot of that to the root certificate authorities, so...  There's no encryption-level difference between a private certificate chain and a public (purchased0 certificate chain.

     

    As for Open Directory and SSL, if Open Directory is doing something wonky, I'd first check the certificate involved to ensure it's still valid and correct, and I'd then check DNS.  (DNS services and digital certificates are two sides of the same coin.  SSL/TLS and certificates require correct and functional DNS.)   To verify the OS X Server DNS settings, launch Terminal.app from Applications > Utilities folder and issue the non-destructive, no-changes-made, diagnostic command:

     

    sudo changeip -checkhostname

     

    which will display some information and then an indication that DNS is correct and valid and no changes are needed, or some information on the problem(s) it may have detected.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.