Help with expiring Default certificate

Hi

Edit it and extend it to a date you can live with. Does not have to be a year hence.

Tony

Hi

Server Admin > Server Name > Certificates > Edit.

Tony

if this is 10.6 server, the options look different. i'm not sure if there's an easy way to edit a self-signed cert in the server admin gui any more.

Hi foilpan

I did one last month and I could be wrong but it looked the same to me? I edited it post install to expire 3 years from the install date.

Tony

Hi,

You can’t “edit” the existing cert anymore.

You have to delete your expired (or soon to expire) cert if the new cert will be for the same host name, which is likely else you’ll get an error about it already existing in the chain. Just go to the certificate window, press the + and select “create a certificate identity”. Use the fully qualified domain name that matches the service or purpose of the cert and host. This will create a new self signed cert that is good for one year by default. If you want to create a cert with a different expiration date (more than 365 days), you must check the box to override defaults or something alone those lines when you’re creating the cert. That part is pretty self explanatory.

I’m not sure if clients will have to “trust” the “new” self signed cert each time you do this. I don’t have time to test that as I was just looking at this during a meeting :P Not sure if you have to “repoint” your services to the new cert either but that’s fairly trivial even if you must do so. I assume you don’t have to though as long as the cert name remained the same and continues to match.

Nuke the default certificate? That's not (unless you have something referencing it) not necessary.

If you want more options than what Server Admin offers here, go after the System Certificates using the Keychain Access tool (look in Applications / Utilities); you can import and export and other such there.

If you want to establish blanket trust for your own stuff, you have to load the public root certificate for the CA; for yourself as a CA. This sequence is basically what purchasing a certificate does for you. A purchased certificate is tied to a root certificate that the certificate vendor has gotten registered in various browsers and tools.

If you're working within your own organization and your own clients, it's usually just as effective and it's cheaper to set up your own root cert and your own trust. To be your own CA.

In ALL of my 10.6 boxes, the default cert that has been created matches the FQDN and this is without any modification or changes. It doesn’t work anything like the interface did in 10.5 (in case anyone is referencing a 10.5 box for some reason).

In any case, I found it easiest to do as I mentioned, which was to create a new cert with the appropriate name but with an expiration date that made sense. I then set my services to use this cert (so for host.com, i have a corresponding cert with the same name). This all works fine for me. Note that on the machines in production, I am using a godaddy cert as opposed to self signed.

On NONE of my 10.6 boxes has a cert titled “default” been created on its own. The only reason I “removed” the original cert with the 1 year expiration is that I obviously could not create a second cert with the same exact host name because keychain would complain that one already exists in the chain.

Anyway...works fine for me this way.