User profile for user: John Gore
John Gore Author
User level: Level 1
14 points

SSL using an Intermediate Certificate

I am running OS X Server 10.4.3. I recently purchased an SSL certificate from Godaddy.com (signed by Starfield) for use with our mail server (mail.foo.com). I was able to set up that certificate just fine and now it shows the certificate as being signed by Starfield. The problem I run into is Apple Mail client still complains saying, "There is no root certificate for this server." Examining the certificate shows it is signed by Starfield, but gives the message "This certificate was signed by an unknown authority." After doing some poking around, it looks like this is because I need to install the "Intermediate Certificate" that came with the SSL certificate for my domain. The problem is, I'm not sure how to do this. Has anyone dealt with intermediate certificates in OS X Server? Thanks in advance!

Posted on Nov 9, 2005 3:10 PM

Reply
5 replies
User profile for user: Joe Muscara
Joe Muscara
User level: Level 3
716 points

Dec 21, 2005 4:29 AM in response to JPWSPO

Here's what we discovered last night.

We could not find a way to install the intermediate certificate via Server Admin. So we had to do it the old fashioned way. Here's how.

1. Copy sf_issuing.crt to /etc/certificates
2. Go to /etc/httpd/sites
3. Edit the .conf file for the site to which the certificate applies. (I should note here that we had already installed the issued certificate via Server Admin, but had been getting errors in browsers about not being able to verify the source of the certificate.)
4. Find the lines in the .conf file for SSLCertificateFile and SSLCertificateKeyFile. They should be in the block about mod_ssl.
5. After those lines, add a similar line for SSLCertificateChainFile/path to intermediate certificate/sf_issuing.crt
6. Save the .conf file and restart the web server.

That should be all. You won't see the intermediate certificate in Server Admin, but it's eliminated the error messages about the certificates for us. I have to wonder if Apple didn't include the ability to add the intermediate in SA due to an oversight, as many people just use Verisign or Thawte and don't need the intermediates with them? Hopefully Leopard Server will include this ability, but if not, it's not too hard to install by hand. This should be in the knowledgebase, though.

iMac G5 20" Mac OS X (10.4.3)

iMac G5 20 Mac OS X (10.4.2)

iMac G5 20" Mac OS X (10.4.3)
Reply
User profile for user: Jeffery Snell
Jeffery Snell
User level: Level 1
4 points

Mar 24, 2006 8:20 AM in response to UptimeJeff

I obtained a certificate from godaddy.

As described above I installed the intermediate certificate into the keychain be double clicking on it and added it to X509anchors through KeyChain Access.

I then installed the signed Web Server Certificate via the Server Admin. I could not simply drag the certificate file into Server Admin, however - when I did that I would get an error (-1) when I close the Add Signed Certificate dialog. But then I trien opening the certificate in TextEdit and pasting the certificate text into Server Admin dialog. This worked, and once saved it displays with Authority as Starfield Technologies and appropriate validity date range.

I have not yet tested the SSL connection, but at least I get no errors in the certificate install process... hopefully the rest will work.

Jeff S

XServe G5 DP Mac OS X (10.4.5)
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

SSL using an Intermediate Certificate

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up