Jeff notes: Creating Wildcard SSL certificate for email server
5/17/13
Overview
Server.app v2.2.1 uses Certificate Assistant to create CSR (Certificate Signing Requests). Certificate Assistant doesn't support the creation of a Wildcard CSR. Entering the wildcard *.domain.com within the corresponding Certificate Assistant's Name field will not be accepted. This means the CSR and the private.key must be created from the command line using openssl.
SSL Certificates that are used by OS X server based services are stored within the following directory:
/etc/certificates
For OS X server based services to use a SSL certificate, each certificate must have the following four files located within /etc/certificates.
1. The certificate trust chain (chain.pem)
2. The certificate (cert.pem)
3. The key (key.pem)
4. The Concatenated certificate with its private key (concat.pem)
Notes
-If any one of the four files are missing, Serveradmin.app will not allow a SSL certificate to be assigned to a service:
-Each of the files name will contain the common name of the certificate followed by the SHA1 hash from the certificate.
See
http://support.apple.com/kb/TS4539
CREATE AND INSTALL A WILDCARD SSL CERTIFICATE
On the OS X 10.8.3 server, do the following:
1. mkdir ~/Desktop/wildcardssl
2. cd ~/Desktop/wildcardssl
3. Create a CSR (Certificate Signing Request)
With password on private key:
openssl req -out CSR.csr -new -newkey rsa:2048 -keyout privateKey.key
OPTIONAL: Without DES password on private key:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Two files will be created: (1) CSR.csr and (2) privatekey.key. The CSR is sent to the CA (Certificate Authority) for verification. They will send back a signed certificate.
OPTIONAL: To view the contents of the CSR in plain text and verify:
openssl req -text -noout -verify -in CSR.csr
OPTIONAL: To view the contents of the privateKey.key and check:
openssl rsa -in privateKey.key -check
4. Submit the contents of the CSR.csr file. Use cat to view the contents and then copy and paste.
cat CSR.csr
I found an inexpensive site to purchase RapidSSL wildcard certificates. Last price was $99 each.
http://cheapssls.com
5a. After following the required steps, a Web Server Certificate and Intermediate CA will be emailed back to you.
5b. Create a nano file and copy and paste the Web Server CERTIFICATE portion of the email into nano and save.
nano cert.crt
OPTIONAL: To view the contents of the certificate in plain text:
openssl x509 -in cert.crt -text -noout
6. Create another nano file and copy the intermediate CA text portion into it and save:
nano rapidssl_intermediate_ca.crt
7a. Now it's time to create the four certificate files that OS X Server.app requires for the wildcard SSL certificate to function properly.
7b. Open Server.app v2.2.1 and select Certificates
7c. Locate the Gear Popup menu, and select "Show All Certificates".
7d. Click the Plus symbol to the left of the Gear popup menu and select "Import a Certificate Identity…"
7e. Drag the cert.crt, privateKey.key, and rapidssl_intermediate_ca.crt into the dialog window that appears and click the "Import" button.
Now match the wildcard SSL with all the Services you desire.
8. Locate the "Secure Services using:" popup menu and select "Custom".
9a. Archive (.zip) the Wildcard SSL folder located on the desktop and then copy it to a different secure location.
9b. Delete both the original and the archive from the server.
Done
OPTIONAL: Move wildcard certificate to another OS X server.
A. Archive (.zip) the Wildcard SSL folder on the Desktop and copy it to new server.
B. Repeat the above steps 7a - 9b.
Reference:
http://support.apple.com/kb/TS4539
Commonly used commands can be found here:
http://www.sslshopper.com/article-most-common-openssl-commands.html
