How to replace an expiring self-signed certificate?
Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
http://screencast.com/t/zlVyR2Hsc
Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
http://screencast.com/t/54c2BUJuXO2
Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
Be aware that creating certificates starts to populate your server Keychain.
http://screencast.com/t/JjLb4YkAM
It appears that when you start to delete certificates, it leaves behind private keys.
http://screencast.com/t/XD9zO3n16z
If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
Bypass "Introduction".
In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
(OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
Pant, pant...
The next window asks for an email address and location information - this appears to be optional.
Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
Key Usage Extension window
Here's where it gets interesting...
I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
Extended Key Usage Extension...
Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
Sorry, folks, I just HAVE to show you the help for this window...
+*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible. EKU is defined with object identifiers called OIDs. If the EKU extension is omitted, all operations are potentially valid.*+
KILL ME NOW!!!
OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
Basic Constraints Extension...
Well, there is no mention of that on the original certificate, so leave it unchecked.
Subject Alternate Name Extension...
Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
DONE!!!! Let's see what the heck we got!
http://screencast.com/t/QgU86suCiQH
Well, I don't know about you but that looks pretty close for Jazz?
I got some extra crap in there but the stuff from the original cert is all there.
Think we're OK??
Out with the old certificate (delete).
Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
http://screencast.com/t/bydMfhXcBFDH
Oh yeah...one more thing in KeyChain Access...
See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
http://screencast.com/t/GdZfxBkHrea
Select "Always Trust".
I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
If you want to see my rant on Apple's worthless documentation, it's here.
http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0
First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
http://screencast.com/t/zlVyR2Hsc
Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
http://screencast.com/t/54c2BUJuXO2
Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
Be aware that creating certificates starts to populate your server Keychain.
http://screencast.com/t/JjLb4YkAM
It appears that when you start to delete certificates, it leaves behind private keys.
http://screencast.com/t/XD9zO3n16z
If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
Bypass "Introduction".
In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
(OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
Pant, pant...
The next window asks for an email address and location information - this appears to be optional.
Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
Key Usage Extension window
Here's where it gets interesting...
I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
Extended Key Usage Extension...
Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
Sorry, folks, I just HAVE to show you the help for this window...
+*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible. EKU is defined with object identifiers called OIDs. If the EKU extension is omitted, all operations are potentially valid.*+
KILL ME NOW!!!
OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
Basic Constraints Extension...
Well, there is no mention of that on the original certificate, so leave it unchecked.
Subject Alternate Name Extension...
Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
DONE!!!! Let's see what the heck we got!
http://screencast.com/t/QgU86suCiQH
Well, I don't know about you but that looks pretty close for Jazz?
I got some extra crap in there but the stuff from the original cert is all there.
Think we're OK??
Out with the old certificate (delete).
Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
http://screencast.com/t/bydMfhXcBFDH
Oh yeah...one more thing in KeyChain Access...
See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
http://screencast.com/t/GdZfxBkHrea
Select "Always Trust".
I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
If you want to see my rant on Apple's worthless documentation, it's here.
http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0
MacBook Pro
