Root Certificate Authority to Sign Server SSL

I am not sure if this will help anyone here, but I wanted to reply to a similar thread that had been archived, where a user wanted to export the Open Directory Certificate Authority and use it on another Mac.

Anyways, I was having the exact same issue creating a Certificate Authority as everyone here is. How I ultimately was able to create a Certificate Authority was by using the Certificate Authorities created by the Open Directory Master configuration process. That process creates a self-signed CA and an intermediate CA. The files that contain the certificate authorities are located in the root user's home directory at this exact location (given that you have not changed the location of the root user's home directory):

/var/root/Library/Application Support/Certificate Authority/

There will be two directories within this directory, those two directories should contain a .pem file which contains the public certificate for the Root CA, and a .certAuthorityConfig file. If you open the Keychain Access application, unlock the System keychain, then goto Keychain Access -> Certificate Assistant -> Set the default certificate authority.... Most likely the list in the Certificate Assistant will be blank, so click Add a Certificate Authority, choose the .certAuthorityConfig file (choose the Root CA cert config file), it will add that certificate authority to the list, and click Continue, it should say it successfully set the default CA, and then click done.

If you have already created a Certificate Authority and you want to export it and import it onto another Mac OS X machine, login as the User that created the Certificate Authority, open Finder, click on the Go Menu while holding down the alt (option) key. This will bring up the Library directory. Open the User's Library, and navigate to (keep in mind you're current relative directory is ~/Library/):

~/Library/Application Support/Certificate Authority/

Copy the two files that are contained in the folder inside the Certificate Authority folder, the inner folder will be named after the Certificate Authority's CN (Common Name). Put those two files on the machine you wish to import the certificate authority, and repeat the process above for setting the default certificate authority.

There are a few other ways to import the Certifcate Authority, but this is just the easiest way.

I too am having this problem, I do not understand PKI well enough to know what the correct order of steps to take and what options I want to use. I have been doing a lot of trial and error because I can't seem to find a good resource that describes the technology in terms of my use cases. I understand it to a certain extent but there are a lot of gaps in my knowledge that create fail points, and I can't find a good comperehensive resource that is able to bring all everything together. Would love it if someone could point me to one.

I hear ya. Lion Server is way pickier than SL server is/was. I can get profile manager up and running using default created certs but would still like to be able to create Leaf certs signed by other CAs. What did you have to do to get a CA to trust (aka sign) your SSL cert?

S.T.Smith: Did you ever get passed this "Unknown error = ..."? I'm running into this on Lion with pretty much the same scenario you describe (trying to create a Leaf (signed) certificate).