Q: OD and CA, issuing a Certificate

I'd like to show my experience with the Certificate Authority that comes with Open Directory once you configure/enable Open Directory (no mater if you do this through Server.app or via CLI with slapconfig -createldapmasterandadmin - I've tried both ways ).

I did this with 2 VMs (El Capitan and Server 5)

After OD is operational I went to KeyChain to see what had changed - and, yes, Certificates from CA, and intermediateCA are in place - everything as expected. But just look at the screenshot - it's self-explanatory.

Hm - that doesn't look good! How would I be able to utilize the CA|intermediateCA? Well - try it, and see what happens.

Step 1 - use Certificate Assistant>Create a Certificate

Step 2 - nothing special here - just trying!

Step 3 - that's where the "Aha" popped out.

Step 4 - provide the credentials necessary to open the System-Keychain - usually from the administrator-account you logged into the computer with.

Step 5 - é voilá - there's the Certificate. That used to work in the past already.

Step 6 - export this certificate - and that used to fail.

Step 7 - provide a password since you're going to export a certificate WITH a private key i.e. a p12-file.

Step 8 - provide the password for the account you logged into the computer.

Once you hit enter the certificate, together with the keys, is exported.

Finally - I remember that this procedure used to fail.

I've tried to import this p12-file and it worked! Just make sure that the other machine has the CA-certificate, and the intermediateCA-certificate (preferably in the System-Keychain) installed, so the "trust-chain" is complete.