I've found and used Keychain Access.app in Applications/Utilities but can't seem to find any program called "CA Assistant" in the 10.5 server installation.
Interesting. I don't have access to my 10.5 server install at the moment. The "CA Assistant" program is mentioned in the documentation on page 63:
... If you need these functions, you can use Apple's CA Assistant in /Applications/Utilities. It allows these functions, and others.
Appreciate the feedback and tips!
Just to rule out the possibility that my SSL vendor (GoDaddy) is providing signed certs that are causing problems on 10.5 I'll go back to the documentation links you provided and try to set everything up with certs signed by my own created CA. For a small user group it should not be that hard to distribute the necessary CA files to establish the trust chain.
I still can't find the "CA Assistant" mentioned in the docs:
sh-3.2# find / -name "CA Assistant*" -print
Given recent appleseed related activities I think that 10.5.1 Server will be available soon. Maybe I should just slow down and wait on either the seed or official 10.5.1 release.
I think I have the same problem. I originally could not get the certificate files to import from GoDaddy. After finding that they "partially" imported into the Keychain, I deleted them from there and tried importing the certificate into server admin again. that time it worked. I had to make sure I imported the certificate, the private key file AND the chain file that I found here:
In keychain manager everything looks valid and says it's verified, BUT none of the other services seem to think that's it's verified. Hopefully this will bring some more ideas.
On a side note, I couldn't find Certificate Assistant either. I found mine here: Open Keychain Access, go to the "Keychain Access" menu and you will see it there.
I am having the same issue. Leopard Server has a different procedure than Tiger Server. I have my Certificate file, Private Key file, and Certificate Authority file. The server admin is where you add the certs. But it just won't take.
I point to the files, and click import, I get a "Certificate Import Failed" error. "Make sure the values you entered are correct, and that the certificate files on the server are valid."
They are text files... Any ideas?
Chris, I'm seeing the same error. I made an SSL cert and CA from Certificate Assistant and get the same error when attempting to input the cert into Server Admin. The console gives the following error.
servermgr_info:  [CertificateManager importIdentity:] Error importing certificate: SecKeychainItemImport (err = -25299)
This seems to correspond to
An item with the same primary key attributes already exists.
But I've looked through the keychain and I don't think I have a duplicate.
I'm also looking forward to an answer. I'd like to secure my email.
I was successful with 10.5.1.
I got the .pfx file from the authority (not godaddy.com) and decomposed it using openssl into the private key, the server cert and the ca chain file.
These I imported using the certificate section of server admin.
Problems I had:
1) no go under 10.5.0
2) after the first try there where leftovers of that experiment in /etc/certificates under the same name as the new certificates, cleaned them by hand.
3) keychain application: I removed all prior certificates with the machines name and also all private keys for that machine name, in all keychains.
After these cleaning works, server admin imported the certificate without problems and I can use it now for apache (and therefore the wiki) and iChat.
I think I've finally gotten it to work using the directions here.
Now I can import the new cert and it seems to use it.
Doing this from within Keychain Access > Certificate Assistant was an exercise in futility.