Server Admin Certificates out of sync with /etc/certificates/
Background: I installed an Xserve in a co-located facility back in 2006. The good news is that I haven't touched it since; the facility guys have only touched it once (reboot after first 13 months); and it's currently showing an Up time of 380 days. The bad news is that the SSL Certificates that I created in 2006 have long since expired.
Fast forward to today: I have no idea how I created the original certificates, but I vaguely remember using the command line. Looking in Server Admin, I saw two names: "Default" and my almost-fully-qualified-domain-name. There was also a file /etc/certificates/.defaultCertificateCreated with 0 size.
I first tried editing the Default entry to give it the true FQDN, but then I noticed that there were still Default.key and Default.crt in /etc/certificates, but no new FQDN.key and FQDN.crt files. I went back and tried to edit the expiration date on other entry without changing its name, and I believe that was successful. But then I realized that I really needed the true FQDN to keep Mail.app happy. Unfortunately, I got lost around this time, i.e., I forget exactly what I changed and when. I also made the mistake of deleting some files from the command line while Server Admin was running, although I may have hit revert. Eventually, I discovered that I could not create a full set of .key .crt .crtkey and .csl files using Server Admin. At best, Server Admin was only creating the .csl file, which is not sufficient. I did try deleting everything from Server Admin, quitting, deleting the /etc/certificates/ files, and starting over, but nothing would make Server Admin create a self-signed cert from scratch.
That's a long and rambling but poorly documented sequence of events, but my point is that I eventually had to resort to using the command line to create my self-signed SSL certificates using the openssl utility. I hand-edited imapd.conf (not sure that I needed to, but it referred to the old DN). Now my IMAP SSL is working again with a certificate that won't expire for another 5 years.
I'm left with a few questions:
1) Is Server Admin capable of creating a self-signed certificate as the Apple documentation (Mail Servicev10.4.pdf) claims?
2) What is the "Default" name supposed to be used for - doesn't it conflict with the FQDN requirement?
3) What is /etc/certificates/.defaultCertificateCreated
4) Why does /etc/certificates/Default.{key,crt} keep getting created shortly after I delete it? (not sure whether this only happens when Server Admin is running)
5) How do I make sure that Server Admin is in sync with the /etc/certificates/ files again? Is there some kind of plist or other file that gets updated when managing certificates from the GUI? I have tried the obvious "revert" button, but that doesn't help.
Fast forward to today: I have no idea how I created the original certificates, but I vaguely remember using the command line. Looking in Server Admin, I saw two names: "Default" and my almost-fully-qualified-domain-name. There was also a file /etc/certificates/.defaultCertificateCreated with 0 size.
I first tried editing the Default entry to give it the true FQDN, but then I noticed that there were still Default.key and Default.crt in /etc/certificates, but no new FQDN.key and FQDN.crt files. I went back and tried to edit the expiration date on other entry without changing its name, and I believe that was successful. But then I realized that I really needed the true FQDN to keep Mail.app happy. Unfortunately, I got lost around this time, i.e., I forget exactly what I changed and when. I also made the mistake of deleting some files from the command line while Server Admin was running, although I may have hit revert. Eventually, I discovered that I could not create a full set of .key .crt .crtkey and .csl files using Server Admin. At best, Server Admin was only creating the .csl file, which is not sufficient. I did try deleting everything from Server Admin, quitting, deleting the /etc/certificates/ files, and starting over, but nothing would make Server Admin create a self-signed cert from scratch.
That's a long and rambling but poorly documented sequence of events, but my point is that I eventually had to resort to using the command line to create my self-signed SSL certificates using the openssl utility. I hand-edited imapd.conf (not sure that I needed to, but it referred to the old DN). Now my IMAP SSL is working again with a certificate that won't expire for another 5 years.
I'm left with a few questions:
1) Is Server Admin capable of creating a self-signed certificate as the Apple documentation (Mail Servicev10.4.pdf) claims?
2) What is the "Default" name supposed to be used for - doesn't it conflict with the FQDN requirement?
3) What is /etc/certificates/.defaultCertificateCreated
4) Why does /etc/certificates/Default.{key,crt} keep getting created shortly after I delete it? (not sure whether this only happens when Server Admin is running)
5) How do I make sure that Server Admin is in sync with the /etc/certificates/ files again? Is there some kind of plist or other file that gets updated when managing certificates from the GUI? I have tried the obvious "revert" button, but that doesn't help.
Xserve G5 (Cluster Node), Mac OS X (10.4.11), 10K RPM, 4.5 GB