Previous 1 2 Next 21 Replies Latest reply: Aug 27, 2015 9:03 AM by Holonsys Go to original post
  • qurt Level 1 Level 1

    I had the same problem today.


    Turns out that the '+' sign in the certificates tab of server app has a menu.

    This menu allows you to import the certificate.

    Then it works.


    The problem is:

    Server app 2.2.1 has a bug.

    The menu will not show up most of the time...

  • mryken Level 1 Level 1

    I was having the same issue today and couldn't figure it out.  Then I finally stumbled upon this recent knowledge base article:



    It worked like a charm.

  • JeffA_Irvine Level 1 Level 1

    Jeff notes: Creating Wildcard SSL certificate for email server



    Overview v2.2.1 uses Certificate Assistant to create CSR (Certificate Signing Requests). Certificate Assistant doesn't support the creation of a Wildcard CSR. Entering the wildcard *  within the corresponding Certificate Assistant's Name field will not be accepted. This means the CSR and the private.key must be created from the command line using openssl.


    SSL Certificates that are used by OS X server based services are stored within the following directory:



    For OS X server based services to use a SSL certificate, each certificate must have the following four files located within /etc/certificates.

    1. The certificate trust chain (chain.pem)

    2. The certificate (cert.pem)

    3. The key (key.pem)

    4. The Concatenated certificate with its private key (concat.pem)



    -If any one of the four files are missing, will not allow a SSL certificate to be assigned to a service:


    -Each of the files name will contain the common name of the certificate followed by the SHA1 hash from the certificate.







    On the OS X 10.8.3 server, do the following:

    1. mkdir ~/Desktop/wildcardssl


    2. cd ~/Desktop/wildcardssl


    3. Create a CSR (Certificate Signing Request)


    With password on private key:


    openssl req -out CSR.csr -new -newkey rsa:2048 -keyout privateKey.key


    OPTIONAL: Without DES password on private key:

    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key


    Two files will be created: (1) CSR.csr and (2) privatekey.key. The CSR is sent to the CA (Certificate Authority) for verification. They will send back a signed certificate.


    OPTIONAL: To view the contents of the CSR in plain text and verify:

    openssl req -text -noout -verify -in CSR.csr


    OPTIONAL: To view the contents of the privateKey.key and check:

    openssl rsa -in privateKey.key -check


    4. Submit the contents of the CSR.csr file. Use cat to view the contents and then copy and paste.


    cat CSR.csr


    I found an inexpensive site to purchase RapidSSL wildcard certificates. Last price was $99 each.


    5a. After following the required steps, a Web Server Certificate and Intermediate CA will be emailed back to you.


    5b. Create a nano file and copy and paste the Web Server CERTIFICATE portion of the email into nano and save.


    nano cert.crt


    OPTIONAL: To view the contents of the certificate in plain text:

    openssl x509 -in cert.crt -text -noout


    6. Create another nano file and copy the intermediate CA text portion into it and save:


    nano rapidssl_intermediate_ca.crt



    7a. Now it's time to create the four certificate files that OS X requires for the wildcard SSL certificate to function properly. 


    7b. Open v2.2.1 and select Certificates


    7c. Locate the Gear Popup menu, and select "Show All Certificates".


    7d. Click the Plus symbol to the left of the Gear popup menu and select "Import a Certificate Identity…"


    7e. Drag the cert.crt, privateKey.key, and rapidssl_intermediate_ca.crt into the dialog window that appears and click the "Import" button.


    Now match the wildcard SSL with all the Services you desire.

    8. Locate the "Secure Services using:" popup menu and select  "Custom".


    9a. Archive (.zip) the Wildcard SSL folder located on the desktop and then copy it to a different secure location.

    9b. Delete both the original and the archive from the server.




    OPTIONAL: Move wildcard certificate to another OS X server.

    A. Archive (.zip) the Wildcard SSL folder on the Desktop and copy it to new server.

    B. Repeat the above steps 7a - 9b.




    Commonly used commands can be found here:

  • kristin. Level 2 Level 2

    JeffA_Irvine—THANK YOU!!!

    I've been wresting with getting a wildcard SSL (via RapidSSL) working under OS X Server (tried various versions, based on RapidSSLs instructions—none worked properly—keychain always barfed on the wildcard star "*"). But, followed your instructions, and literally had it completed within 15 minutes, from start to finish. So, again, THANK YOU!!!


  • KPowerbookG4 Level 1 Level 1

    I would also like to add a HUGE THANK YOU to JeffA_Irvine.


    Hours of my life wasted--until now.  Back to work!

  • Jack Foster Mancilla Level 2 Level 2



    I was wondering. … This information is two years old. Does it still work with the Server App in Yosemite 10.10.3?



  • Holonsys Level 1 Level 1

    For info, this procedure works fine on Mac OS X Server 10.9.5 and Server v3.2.2.


    Big Thanks!

Previous 1 2 Next