2 Replies Latest reply: Mar 28, 2013 8:37 PM by iBlink
Patrick Larkin Level 1 Level 1

Hello -


I've installed SSL certificates in every version of OS X Server except 10.7.


I'm utterly confused.  The certificate issuer requires an intermediate certificate now.  So I need to install the certificate I purchased and the intermediate certificate bundle (which appears to be two certificates in one file).


I've double clicked them to get them into the keychain.  I've added lines to the 0000_xx.xx.xx.xx_443_myhost.com.conf  like


SSLCertificateFile "/etc/certificates/myhost.com.9D5989D4DD7AED15D1B61AF8887C566611073BA9.cert.pem "

                    SSLCertificateKeyFile "/etc/certificates/myhost.com.9D5989D4DD7AED15D1B61AF8887C566611073BA9.key.pem"

                    SSLCertificateChainFile "/etc/certificates/myhost.com.9D5989D4DD7AED15D1B61AF8887C566611073BA9.chain.pe m"


I've selected the certificate in the Server GUI. 


EVerything works great EXCEPT the intermediate certificate is not recognized resulting in old browsers (and Android) to get an untrusted message.  Anyone know what the secret is?

  • infinite vortex Level 7 Level 7

    When you download your SSL certificate it should come with the issuer's certificate. Import that into your server's System keychain using Keychain Access.

  • iBlink Level 2 Level 2

    I posted this at godaddy.com as that's where I got the certificate, but most of the steps should apply....



    Create Our Self-Signed Certificate


    Server app

    Under Hardware, select your sever

    Click "Settings" tab

    across from "SSL Certificate" click "Edit"

    click on gear with arrow button and select "Manage Certificates"

    click the "+" button and select "Create a certificate identity"

    the defaults should be your sever name, "self signed root", and "ssl server"

    check "Let me override defaults"

    click "continue" and then "continue" again

    choose the period of time you will be buying the certificate for.  If its one year leave defaults

    click "continue"

    fill in the next screen with your info and click "continue"

    keep clicking "continue" leaving defaults until you get to "Subject Alternate Name Extension" page

    in the "dNSName:" field put in all the domains you will be using the certificate for, separated only by a space between each entry.

              example: domain.com server.domain.com www.domain.com mail.domain.com auto discover.domain.com


    You can take out IP address

    click "continue"

    now your certificate is created

    click "done" and allow keychain alert

    click "OK" and now in the "certificate" menu you will see your new certificate.  Select it. leave it there for now.


    login to your GoDaddy.com account and go to your "manage certificates" area and under credits click on the request certificate link

    the CSR window will open.

    go back to your lion server where you can see the certificate you created and click the gear and arrow button and choose "generate certificate signing request (CSR)"

    copy the code in the box and paste it in the CSR box in the go daddy.com page.  close the lion server code box window you just copied out of.

    now enter each domain name you are using in the "New Subject Alt Name" box and click add after each one.

    click "next" and verify your entries and then click "next" and then "finished"

    they send you an email and you verify

    when your certificate is ready in the certificates area of your godaddy.com account, click it and click download button.

    select the 10.6 option…..yes I know this is for 10.7….just choose 10.6….trust me

    click "download"


    now go back to server app and click "edit" across from "SSL Certificate" under settings tab

    select the self-signed certificate you created in the menu


    click the gear and arrow button and choose "replace certificate with signed or renewed certificate"

    drag the newly downloaded .crt file into the window (not the file that starts with gd_)

    click "replace certificate"


    last step

    open keychain access

    click "system" in "Keychains" column

    click "certificates" in "Categaory" column

    drag newly downloaded .crt file into the window (this is the one that starts with gd_)


    go back to server app and click "edit" across from "SSL Certificate" in the "Settings" tab and select your new GoDaddy.com certificate in the certificate menu

    if you want you can now select "custom" in that same menu and assign each of the listed services the new certificate.

    your server name should then populate the area next to the "SSL Certificate" section of the "Settings" tab.