Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How can I generate a CA flagged SSL certificate for OS X Server usage?

[I originally posted this in the Yosemite forum as I didn't find the Server forum at the time. Reposting here, as it's where I meant to originally post it]


Hello,

I wish to generate an SSL certificate for OS X Server, WITH the CA flag set to TRUE. The one that is generated by Server by default does not have this flag in place.

I got as far as generating a CA Signing Authority certificate in Keychain Access. I can also then generate a new SSL certificate with the CA flag set. But I have not been able to get that certificate to be utilised by Server. I've tried many routes to do so. Including exporting it from Kaychain and importing it to Server Certificates manager. But it still uses the prior certificate. If I delete that prior certificate in Keychain, Server detects it is missing and the drops back to using the "Server Fallback SSL certificate - Self-signed". If I tell it to use the certificate I generated and imported it results in the message,


Additional access is required to use the selected certificate.

Server cannot access the private key for this certificate. To grant access, click Continue and enter your user name and password when prompted.


I click CONTINUE, and it goes to the message:

Services could not be configured to use this certificate.

The certificate could not be exported, and cannot be used to configure services.


Would someone experienced with such things please advise how I might go about doing this.


My issue is that Android will not accept/trust certificates that don't have the CA Flag = TRUE. So I need to get this in place in order to import the certificate for my local server into Android devices that I want to use for accessing the Server (such as CalDAV and CardDAV).


Thank you.

Posted on Apr 24, 2015 9:17 PM

Reply
8 replies

Apr 26, 2015 10:26 AM in response to InspiredLife

InspiredLife,I am in the exact same boat as you are. I have tried everything to privately sync data between OS X and Android. I have resorted to buying OS X Server for this purpose only. But to no avail: nothing works without setting this CA flag. I had taken exactly the same steps that you have tried and have come up against the exact same issues. And I must say, this has become rather frustrating. This should be so simple, and we're so close, yet so far: neither Android nor OS X Server wants to take that last step.


Looks like I'll resort to running OwnCloud on a virtual machine or a Raspberry Pi box soon. But really, is this the length that we need to go through to do something so incredibly simple?


Any help from OS X Server / SSL geniuses will be more than welcome.

Apr 27, 2015 9:52 PM in response to jepping

Thank you for that jepping -- that was a very useful thread in order to understand more about SSL signing. Unfortunately no amount of self signed SSL wizardry seems to have helped me in this case.


I did come across some other useful resources. Mainly, a modified version of DAVdroid that allowed me to bypass the CA flag problem. The modified version (and the very lengthy discussion leading up to its creation) can be accessed here:

https://github.com/bitfireAT/davdroid/issues/3


Having been able to establish a connection to OS X from Android, I came up against another issue: the calendar/addressbook that was presented to me in the modified DAVdroid app at the time of account creation, did not result in any data being synced. Don't know exactly where things are going wrong at this stage of the process, but additional configuration steps might need to be taken, according to this link:

http://krypted.com/mac-security/configure-the-calendar-service-in-mac-os-x-yosem ite-server/


All in all, trying to work this out has taken up far too much of my time already and I'm still not at a stage where I have things working. So, for now, I'm giving up and will just use a VM + OwnCloud to get done what I need done. I have one running already (and THAT took me all but 10 minutes).


It's very disappointing to see Apple/Google making things so hard for people to hang on to their own data. But oh well.

May 26, 2015 12:59 AM in response to iamcrocbait

I spent an extraordinary amount of time trying to figure this out, a month or so ago when I first posted. I eventually have to walk away, as I had other things to get done.


I am not back on the issue.


Is it really true that there is no way to create a self-signed SSL certificate that is CA flagger? Hard to believe.


Thank you iamcrocbait for sharing your experience. On the one hand it's nice to know it was not just some major oversight on my part that make this seemingly simple task become insurmountable. On the other hand, it's I wish it was just an oversight on my part, and you had found a way to do this. Darn. lol


With your virtual machine set up... would you mind relaying to me what it is you've put in place?


Thank you. Sigh.

May 26, 2015 10:27 AM in response to InspiredLife

While I am not very advanced when it comes to OS X Server, when I was dealing with certificates I figured it out to the point where everything works for me. Not sure if this is what you're looking for but check out these notes: http://securityspread.com/installing-setting-os-mavericks-server/certificates/


I have all services running on my self-created certificate this way.


Cheers.

Oct 6, 2015 10:46 AM in response to jayv.

Finally got a chance to further look into this. Thank you very much jayv. -- that is an astonishingly helpful link that you provided. A very detailed and easy walk through to make this CA magic happen. I have only setup the CA side of things at the moment, but OS X Server now show up in Contacts and Calendar as an account option, so should be all good. Thanks again and have a great day!

Oct 7, 2015 3:15 AM in response to InspiredLife

I am not sure of your problem.


Normally you create a self-signed rootCA certificate. This is normally itself not a server certificate it is a rootCA certificate which you use to sign other certificates including server certificates. You would therefore normally have at least two certificates your self-signed rootCA and a server certificate signed by that rootCA certificate. I suppose it might be possible to generate a certificate that is both marked as a rootCA and a server certificate.


Again normally for Server.app you would then import the private key and matching server certificate and the self-signed rootCA certificate, it then knows to link them together. This works fine for me and all my Server.app services. As long as the self-signed rootCA certificate is then installed and trusted on client devices the server certificate is automatically trusted as well.


I find that the free XCA utility (written in Java) which acts as a front-end for OpenSSL is a huge help in generating and managing certificates for example it makes adding Subject Alternative Names far, far easier than the traditional OpenSSL terminal manner, and this is also something Keychain Access is effectively unable to do at all. See http://sourceforge.net/projects/xca/


I have even used it successfully to generate my own code-signing certificate for Profile Manager.

How can I generate a CA flagged SSL certificate for OS X Server usage?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.