Q: OD and CA, issuing a Certificate
I'd like to show my experience with the Certificate Authority that comes with Open Directory once you configure/enable Open Directory (no mater if you do this through Server.app or via CLI with slapconfig -createldapmasterandadmin - I've tried both ways ).
I did this with 2 VMs (El Capitan and Server 5)
After OD is operational I went to KeyChain to see what had changed - and, yes, Certificates from CA, and intermediateCA are in place - everything as expected. But just look at the screenshot - it's self-explanatory.
Hm - that doesn't look good! How would I be able to utilize the CA|intermediateCA? Well - try it, and see what happens.
Step 1 - use Certificate Assistant>Create a Certificate
Step 2 - nothing special here - just trying!
Step 3 - that's where the "Aha" popped out.
Step 4 - provide the credentials necessary to open the System-Keychain - usually from the administrator-account you logged into the computer with.
Step 5 - é voilá - there's the Certificate. That used to work in the past already.
Step 6 - export this certificate - and that used to fail.
Step 7 - provide a password since you're going to export a certificate WITH a private key i.e. a p12-file.
Step 8 - provide the password for the account you logged into the computer.
Once you hit enter the certificate, together with the keys, is exported.
Finally - I remember that this procedure used to fail.
I've tried to import this p12-file and it worked! Just make sure that the other machine has the CA-certificate, and the intermediateCA-certificate (preferably in the System-Keychain) installed, so the "trust-chain" is complete.
Posted on Feb 19, 2016 8:31 AM








