lawaidit

Q: Problem exporting SSL keys

I'm trying to export ssl certs & keys from Keychain Access on our server (5.1.7) for future disaster recovery purposes. I have several ssl certs installed and most are fine, but one in particular has 4 public keys and 5 private keys. I don't know which keys to export! I tried exporting several of the public keys and compared them; they are all different. I'm not sure how to determine which one is the correct one. As you can see below, none have even a timestamp.

multiple_keys.png

Any ideas? Alternately, is there another way I can go about this?

Mac Mini Server (Late 2012), OS X El Capitan (10.11.6)

Posted on Sep 15, 2016 1:20 PM

Close

Q: Problem exporting SSL keys

  • All replies
  • Helpful answers

  • by cdhw,

    cdhw cdhw Sep 15, 2016 4:54 PM in response to lawaidit
    Level 4 (2,668 points)
    Servers Enterprise
    Sep 15, 2016 4:54 PM in response to lawaidit

    Is there some reason you don't just export all of them? They are very small files and if you guess wrong and exclude one that is needed your disaster recovery is not going to go well.

     

    C.

  • by lawaidit,

    lawaidit lawaidit Sep 16, 2016 7:34 AM in response to cdhw
    Level 1 (8 points)
    Servers Enterprise
    Sep 16, 2016 7:34 AM in response to cdhw

    Exporting them all is my only recourse at the moment, yeah. It's certainly better than nothing but I hate having to import 9 keys unnecessarily. It's like killing a fly with a shotgun. I was just thinking maybe there's a way to tell which one is associated with the current cert. Somehow.

  • by John Lockwood,Solvedanswer

    John Lockwood John Lockwood Sep 19, 2016 7:11 AM in response to lawaidit
    Level 6 (9,349 points)
    Servers Enterprise
    Sep 19, 2016 7:11 AM in response to lawaidit

    If you select the correct view in Keychain Access then the Certificate and its matching private key will be linked together. You will see a triangle to the left of the certificate and if you turn it down it will show the matching private key.

     

    If you select the certificate this way then you will de-facto export both the certificate and the matching private key together.

     

    See -

    217.png

  • by lawaidit,

    lawaidit lawaidit Sep 19, 2016 7:15 AM in response to John Lockwood
    Level 1 (8 points)
    Servers Enterprise
    Sep 19, 2016 7:15 AM in response to John Lockwood

    That's very helpful, thanks John! I ended up locating the files I needed in /etc/certificates and backing them up from there (along with the ssl passphrase, obtained via command line). When I attempted to import one of the key/cert pairs that I was able to export from Keychain Access, it didn't work for some reason.

  • by John Lockwood,

    John Lockwood John Lockwood Sep 19, 2016 7:27 AM in response to lawaidit
    Level 6 (9,349 points)
    Servers Enterprise
    Sep 19, 2016 7:27 AM in response to lawaidit

    It is best to export a certificate/private key pair as a .p12 file. It is effectively compulsory to use a password to protect/encrypt the .p12 file. You would then have to enter the same password to import that .p12 file.

  • by lawaidit,

    lawaidit lawaidit Sep 19, 2016 7:29 AM in response to John Lockwood
    Level 1 (8 points)
    Servers Enterprise
    Sep 19, 2016 7:29 AM in response to John Lockwood

    I'll give it a try, maybe if it puts it all in one file the import will work. Keychain Access kept telling me it couldn't find any keys in the file to import after authentication.