3 Replies Latest reply: May 15, 2014 4:21 PM by MrHoffman
jdramosfamily Level 1 Level 1 (0 points)

Couple of questions on Mac OS X 10.6 server or above.

 

1) Can a Mac OS X 10.6 server or above version supports PKCS#7 format for SSL certificate installation?

 

2) If PKCS#7 format is supported, is the file extension .p7b file?

 

Thank you!

J


Mac OS X (10.6.8)
  • MrHoffman Level 6 Level 6 (13,055 points)

    OS X 10.6 has OpenSSL with pkcs7, per the help text.  Use man pkcs7 and man openssl for details of that.

     

    With OpenSSL on OS X, the pkcs7 files are usually in .PEM or .DER format. 

     

    Per the man page "This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they cannot currently parse, for example, the new CMS as described in RFC2630." 

     

    OS X is using Secure Transport in more recent releases, and OpenSSL is around for legacy application use. 

     

    The "newer" infrastructure uses the security command, and that includes details such as "Possible formats are openssl, bsafe, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The default is pemseq if more than one item is being exported. The default is openssl if one key is being exported. The default is x509 if one certificate is being exported."  

     

    Whether these details address whatever you're interested in here, or what sort of problem you're encountering here, I don't know.  I'm guessing you're looking to use these pksc7 certificates in some fashion?  Single-signon or s/mime would be typical for pkcs7, but details can depend on the requirements and the particular client or server in use.

  • jdramosfamily Level 1 Level 1 (0 points)

    Hi MrHoffman,

     

    Thank you for your kind reply.

     

    I'm trying to gather information at this point if Mac OS X 10.6 server (or above) allows you to successfully install an SSL certificate sent by a Certificate Authority in a PKCS#7 format. Previous server version such as OS X 10.5 accepts SSL certificate installation in X.509 format. But you have to manually install the Intermediate CA (Sub CA signer) as a separate certificate file.

  • MrHoffman Level 6 Level 6 (13,055 points)

    Try it.  Unfortunately, sometimes certificates can be mis-generated or can become corrupted.

     

    X.509 is the overarching standard, and comprises various formats including PKCS7.   I'd usually want a PEM format certificate file, though OS X 10.6 does support various formats.  Including PKCS7. 

     

    Depending on exactly what you're up to here with OS X and OS X Server and these certificates, there might be Server Admin.app or Server.app service-specific steps required; additional general info here here or here.

     

    If these are your own servers, clients and your own family and friends accessing these systems, then there's no need for a purchased certificate.  Self-generated certificates work just as well and are just as secure as purchased certificates (if you have a trusted and secure way to perform the initial load), and — if you're inclined, and want to learn a little about OS X and certificates — you can set up your own certificate authority and load your own root certificate, and then your own client certificates are automatically honored.