samurai9612
Level 1
(4 points)
Q: OS X Server Certificate Management for Signing & Encrypting Email
I'd like to know how to set up and manage a system of certificates for colleagues of mine to be able to send digitally signed and encrypted messages using OS X Server and Apple's Mail.app. I know that each use can use Keychain.app to generate those keys themselves, but I'd like to have centralized control over those certificated from OS X Server (perhaps using Users & Groups to manage them).
If someone has experience with this and would like to explain how they do this themselves, or point me to some learning resources I would greatly appreciate it.
Thank you.
John Lockwood
Level 6
(9,205 points)
These are not the droids your looking for…
Sadly Apple do not provide the tools for this. Even if they did it would not necessarily be the best approach - except internally. The reason for this is that if you did hypothetically have an internal solution for generating and issuing S/MIME certificates this would I feel be using an internal self-signed rootCA and while you could use that and have certificates issues by it to be automatically trusted internally you could not do this for all the external people you would also want to communicate with.
We have a few people using S/MIME ourselves and I could have used a self-signed rootCA based setup but this would then have meant extra work with external people educating them how to ignore the complaint messages their software would initially show regarding untrusted certificates. I felt it was better to get each user an officially issued and hence trusted S/MIME certificate. Since then we have had the reverse situation, one of the external parties we communicate with does use self-signed certificates and I then have to go through that hassle getting our users to trust their untrusted self-signed certificates.
Note: I used free S/MIME certificates from Comodo. They work fine with Apple Mail, iOS Mail, and even Kerio Connect webmail. You have to do the initial application and install on a Mac, then export as a .p12 and send that to your iOS device to install there, and use the same to install in Kerio Connect webmail.
Getting back to your question, you could use the free XCA tool to manage your certificates, this would not be automatic but would be much easier than Keychain Access or command line approaches. A more automatic enterprise level approach would require a SCEP server application. Unfortunately even though Profile Manager contains a SCEP it is limited to only being usable to generate certificates for enrolling devices, it cannot be used for other purposes like this. You could look at Enterprise Java Beans Certificate Authority - EJBCA, this is a very high-end and complex and full-blown certificate management tool, although it is still free. Perhaps with it and Profile Manager you could have profiles which ask EJBCA to generate a S/MIME certificate and install it for use with Apple Mail.
See - https://www.ejbca.org/
