Certificate Expired - localhost

Hi,

in server admin (server settings/certificates) you can remove and add/create certificates to your server.

Adding a cert will open a wizard which will guide you through the process regardless if you need a self-signed cert or not.

Cheers

The certificate renewal sequence works if you've purchased a commercial certificate or if you're running your own certificate chain. That the DNS name here is not a public domain name would imply that this is not a commercially-purchased certificate, and given you're asking the question you're probably not running your own certificate chain would imply you're not running your own chain.

In this case, you can create a new self-signed certificate using Certificate Assistant, and load it into the system keychain on the server.

Launch Keychain, select Certificate Assistant via the menu, and create yourself a self-signed certificate with a matching domain name.

If you're running SSL on any of the services, you'll have to re-select the certificates to your newly-created and newly-loaded self-signed certificate, and restart the services.

Alternatively, you can purchase a commercial certificate, and load that. (If you're running your own clients or clients you control, you can either purchase the necessary certificates, or you can set up your own certificate root and certificate chain. The level of security is the same for both commercial and self-generated, so long as the root certificate distribution path is trusted.)

As a somewhat-related discussion to this certificate for this server, that certificate domain name implies there is a DNS configuration error, as well. Launch Terminal.app and issue the command sudo changeip -checkhostname and see whether the current DNS set-up is valid or if there are corrections needed. You will need to enter an administrative password for the sudo.

You can't renew this certificate given the way that it's been created, and this certificate is also effectively junk. (And given that the domain name here is, well, junk, you could simply ignore the expiration and continue onward with whatever errors arise here, too.)

The host name "localhost" is a generic name of any host on the Internet. It's the IP analog of "me" in English, and not a specific name of a specific host. Every host on an IP network will honor "localhost" as a valid name for itself, for instance.

As for the recipe you're asking for: Keychain Access > Certificate Assistant > select Create a Certificate > enter the fully-qualified host name for the server as the name, select self-sized root, select the SSL Server certificate type > OK the self-signed certificate diagnostic to dismiss it > done.

Return to Keychain Access, find the certificate that you've just created in the local keychain (you can select My Certificates to look just at the local certificates), and drag the new certificate over to the system keychain. Drag the certificate over to the System keychain entry in the left navigation and drop it, enter your admin password, and select Always Trust and enter your admin password again.

Move to Server Admin, and select the particular services that need the certificate replaced, and select the old certificate listed in the typical display, and (when you select the old certificate) scroll to and release the control to select the new certificate.

You can't renew a self-signed certificate. You would simply replace it.

(Well, not without having established a root certificate and the associated certificate chain. Then you can sign and renew your own certificates. That's slightly arcane, however.)

I followed these instructions (thank you), but am having a new problem. When I check the certificate from another computer (with openssl s_client -connect) I get the message "Verify return code: 21 (unable to verify the first certificate)". Do you know what that means and how I can fix it?

Also I noticed that the certificate I created following your instructions doesn't have, and never prompted me to enter, certain "Subject Name" and "Issuer Name" data which is present in my original (now expired) certificate. Common name and country are the same though. Do other fields matter (organization, state, etc.) and if so how can I set them?

Please post the command output up to the --BEGIN CERTIFICATE-- stuff.

If you're going to obfuscate your domain, change it (consistently!) to example.com

If you're using DNS in .local, then your DNS is messed up.

If you're using localhost as the name on your certificate, your certificate is invalid.

DNS is fundamental to running Mac OS X Server, and a great huge pile of stuff goes weird and goes sideways when DNS is misconfigured or unstable.

Here's everything that comes before Begin Certificate:

CONNECTED(00000003)

depth=0 /CN=example.com/C=US

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 /CN=example.com/C=US

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/CN=example.com/C=US

i:/CN=example.com/C=US

---

Server certificate

Everything seems to be working fine for clients that were bound to the directory server before the cetificate expired. The DNS service isn't running on this server, we use a different DNS server. The old and new certificates both have the same name, example.com (not localhost).