Skip navigation

SSL Certificate - Confused

310 Views 2 Replies Latest reply: Mar 28, 2013 8:37 PM by iBlink RSS
Patrick Larkin Calculating status...
Currently Being Moderated
Mar 26, 2013 12:00 PM

Hello -


I've installed SSL certificates in every version of OS X Server except 10.7.


I'm utterly confused.  The certificate issuer requires an intermediate certificate now.  So I need to install the certificate I purchased and the intermediate certificate bundle (which appears to be two certificates in one file).


I've double clicked them to get them into the keychain.  I've added lines to the  like


SSLCertificateFile "/etc/certificates/ "

                    SSLCertificateKeyFile "/etc/certificates/"

                    SSLCertificateChainFile "/etc/certificates/ m"


I've selected the certificate in the Server GUI. 


EVerything works great EXCEPT the intermediate certificate is not recognized resulting in old browsers (and Android) to get an untrusted message.  Anyone know what the secret is?

  • infinite vortex Level 7 Level 7 (21,400 points)
    Currently Being Moderated
    Mar 26, 2013 3:55 PM (in response to Patrick Larkin)

    When you download your SSL certificate it should come with the issuer's certificate. Import that into your server's System keychain using Keychain Access.

  • iBlink Level 2 Level 2 (180 points)
    Currently Being Moderated
    Mar 28, 2013 8:37 PM (in response to Patrick Larkin)

    I posted this at as that's where I got the certificate, but most of the steps should apply....



    Create Our Self-Signed Certificate


    Server app

    Under Hardware, select your sever

    Click "Settings" tab

    across from "SSL Certificate" click "Edit"

    click on gear with arrow button and select "Manage Certificates"

    click the "+" button and select "Create a certificate identity"

    the defaults should be your sever name, "self signed root", and "ssl server"

    check "Let me override defaults"

    click "continue" and then "continue" again

    choose the period of time you will be buying the certificate for.  If its one year leave defaults

    click "continue"

    fill in the next screen with your info and click "continue"

    keep clicking "continue" leaving defaults until you get to "Subject Alternate Name Extension" page

    in the "dNSName:" field put in all the domains you will be using the certificate for, separated only by a space between each entry.

              example: auto


    You can take out IP address

    click "continue"

    now your certificate is created

    click "done" and allow keychain alert

    click "OK" and now in the "certificate" menu you will see your new certificate.  Select it. leave it there for now.


    login to your account and go to your "manage certificates" area and under credits click on the request certificate link

    the CSR window will open.

    go back to your lion server where you can see the certificate you created and click the gear and arrow button and choose "generate certificate signing request (CSR)"

    copy the code in the box and paste it in the CSR box in the go page.  close the lion server code box window you just copied out of.

    now enter each domain name you are using in the "New Subject Alt Name" box and click add after each one.

    click "next" and verify your entries and then click "next" and then "finished"

    they send you an email and you verify

    when your certificate is ready in the certificates area of your account, click it and click download button.

    select the 10.6 option…..yes I know this is for 10.7….just choose 10.6….trust me

    click "download"


    now go back to server app and click "edit" across from "SSL Certificate" under settings tab

    select the self-signed certificate you created in the menu


    click the gear and arrow button and choose "replace certificate with signed or renewed certificate"

    drag the newly downloaded .crt file into the window (not the file that starts with gd_)

    click "replace certificate"


    last step

    open keychain access

    click "system" in "Keychains" column

    click "certificates" in "Categaory" column

    drag newly downloaded .crt file into the window (this is the one that starts with gd_)


    go back to server app and click "edit" across from "SSL Certificate" in the "Settings" tab and select your new certificate in the certificate menu

    if you want you can now select "custom" in that same menu and assign each of the listed services the new certificate.

    your server name should then populate the area next to the "SSL Certificate" section of the "Settings" tab.


More Like This

  • Retrieving data ...

Bookmarked By (0)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.