Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Gerben Wierda
Gerben Wierda Author
User level: Level 2
285 points

Creating my own Certificate Authority, signed certificates, and using these

I am stupid. Three years back, I created my own CA and my own wildcard certificate for my OS X Server (still 10.8.5 with Server 2.2.5). I install my public Root CA on clients that make use of my server. A these need to be updated not that often and the work is complex, so I created a CA vault to work from with a couple of scripts and an openssl configuration. What I did forget is document how to get these used by Server.app. Which is why I am stupid, as I have difficulty reproducing what I did and found out three years ago.


I am using two scripts. (MYNAME, mydomain and tld are generic strings, of course in reality I am using my own name and mydomain.tld)


The first is for creating a root CA:


#!/bin/bash


# Only edit these:
mycaname="MYNAME Certificate Authority"
myrootname=mydomaincaroot


# Run in current dir:
mydir=`pwd`


mkdir RootCert >/dev/null 2>&1


if [ ! -e "$mydir"/RootCert/"$myrootname".key -o \
     -e "$mydir"/RootCert/"$myrootname".crt ]
then
    openssl req -config "$mydir"/openssl.cnf \
  -new -x509 \
  -keyout "$mydir"/RootCert/"$myrootname".key \
  -out "$mydir"/RootCert/"$myrootname".crt \
  -days 3650
    openssl pkcs12 -export -clcerts \
  -inkey "$mydir"/RootCert/"$myrootname".key \
  -in "$mydir"/RootCert/"$myrootname".crt \
  -out "$mydir"/RootCert/"$myrootname".p12 \
  -name "$mycaname"


    echo "Now import ""$mydir""/RootCert/""$myrootname"".p12 in KeyChain"
    echo "For this, unlock the System KeyChain first, then import"
    echo "NOTE: this imports your private key in the System Keychain"
    echo "So it can be used for signing activities."
    echo "This is less safe then keeping your private key on media that"
    echo "cannot be accessed from the system, like a safely stored USB stick"
else
    echo "Your root CA crt and key already exist! I will not overwrite this"
    echo "as this could overwrite a still used private key and lose you access"
    echo "to signed certificates, e.g. for revoking them"
fi


And the one to create the signed *.mydomain.tld certificate is this:


#!/bin/bash


#Edit only this:


myrootname=mydomaincaroot # basename of your rootca files
mydomainname=mydomain.tld # basename of your domain cert files and of the wildcard
mydir=`pwd` # run in current directory
qdays=1095 # standard lifetime for a cert: 3 years


if [ -d RootCert -a -e RootCert/"$myrootname".key \
  -a -e RootCert/"$myrootname".crt ]
then
    mywildcardcertname=wildcard.$mydomainname.crt


    mkdir LeafCert LeafCert/newcerts LeafCert/certs LefCert/crl >/dev/null 2>&1
    rm -f "$mydir"/"$mydomainname-req".*


    echo "***************"
    echo "* Creating certificate signing request. Enter *.$mydomainname for Common Name."
    echo "***************"
    echo
    sleep 1
    if openssl req -config "$mydir"/openssl.cnf -new \
  -keyout "$mydir"/"$mydomainname-req".key \
  -out "$mydir"/"$mydomainname-req".csr \
  -days "$days"
    then
  myserial=`cat LeafCert/serial`
  cat "$mydir"/"$mydomainname-req".key \
     "$mydir"/"$mydomainname-req".csr \
     > "$mydir"/"$mydomainname-req".pem


  if openssl ca -config "$mydir"/openssl.cnf \
     -policy policy_anything \
     -cert "$mydir"/RootCert/"$myrootname".crt \
     -keyfile "$mydir"/RootCert/"$myrootname".key \
     -out "$mydir"/LeafCert/"$mydomainname".pem \
     -infiles "$mydir"/"$mydomainname-req".pem
  then
  mv -f "$mydir"/"$mydomainname-req".* "$mydir"/RequestBackups


  openssl x509 -outform pem \
     -in LeafCert/newcerts/$myserial.pem \
     -out LeafCert/certs/$mywildcardcertname


  openssl pkcs12 -export \
     -inkey "$mydir"/RequestBackups/"$mydomainname-req".key \
     -in "$mydir"/LeafCert/certs/$mywildcardcertname \
     -name $mydomainname \
     -out "$mydir"/RequestBackups/"$mydomainname".p12
  else
     echo "Signing $mydir/$mydomainname-req.pem failed"
  fi
    else
  echo "Creating $mydir/$mydomainname-req.pem failed"
    fi
else
    echo "Missing RootCert directory"
    echo "Directory RootCert and files RootCert/""$myrootname"".key and ""$myrootname"".crt should exist"
fi


I end up with a couple of files:

./LeafCert/mydomain.tld.pem (last generated pem, identical to ./LeafCert/newcerts/<serialno>.pem

./LeafCert/certs/wildcart.mydomain.tld.crt


The last one is my new signed-by-my-own-rootCA wildcard certificate. I have two questions.

  1. I forgot the next steps. How do I get this imported in Server.app? When I click import and drop the .crt or .pem file it doesn't get recognized as a certificate, but as a non-identity certificate. Apparently, three years ago I found out what I had to do, but forgot to write it down (stupid). I tried going via KeychainAccess, but was unable to get the same result as what is in the keychain now (trusted *.mydomain.tld certificate with private key)
  2. The certificates are still SHA-1 and in a while I'll have to upgrade to a newer OS X and Server version which I believe only accepts SHA-2. How do I change my procedure to get SHA-2 hashes?


Thanks in advance for any real guru that can help me out.

Mac mini, OS X Mountain Lion (10.8.5), OS X Server

Posted on Mar 19, 2016 5:19 AM

Reply
5 replies
User profile for user: Gerben Wierda
Gerben Wierda Author
User level: Level 2
285 points

Mar 20, 2016 3:23 AM in response to Gerben Wierda

I guess that I know what needs to be done (but advise is still welcome). I have to add the wildcard identity certificate to the System Keychain, after which I can use it in Server.app.


I run into another problem now: when I enter the certificate into the System Keychain, it ends up in /etc/certificates without a .key.pem file. See: OS X 10.8.5 Server 2.2.5/Keychain Access certificates question for details.


Help is still very welcome.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Mar 21, 2016 7:26 AM in response to Gerben Wierda

  • All your computers - both servers and clients need a copy of your self-signed rootCA public certificate but not the private key for that certificate
  • Only your servers need - in this case your wildcard certificate and private key for that wildcard certificate
  • Your clients do not need to have a copy of the public (wildcard) certificate


When you add the server certificate and private key and public copy of your self-signed rootCA to your server via Server.app it will automatically copy them to the servers System keychain and /etc/certificates.


While I do not use a self-signed wildcard certificate (see below) I add as three individual files, the server certificate, the servers matching private key and the self-signed rootCA and everything including the entries in /etc/certificates is all ok.


Note: It is highly unusual and both not necessary and perhaps undesirable to have a self-signed wildcard certificate used by all your servers. It means if it gets compromised all your servers need to be re-certificated. The main reason for using a wildcard certificate is probably cost and as you are using 'free' self-signed certificates that does not apply.


For what its worth I use the free XCA tool to create and manage my certificates, it is far more pleasant than doing OpenSSL via the command line - even with scripts, and can make doing things like Subject Alternative Names much easier.

Reply
User profile for user: Gerben Wierda
Gerben Wierda Author
User level: Level 2
285 points

Mar 21, 2016 5:42 AM in response to Gerben Wierda

Thanks John for answering.


I am well aware of your three points.


When you add the server certificate and private key and public copy of your self-signed rootCA to your server via Server.app it will automatically copy them to the servers System keychain and /etc/certificates.


When I did this in 2013, I recall it as follows:

- After creating the wildcard certificate with the above script, I had to add this to the System Keychain. As a result, 4 files ended up in /etc/certificates:

*.rna.nl.A10E0E1DDF1AC21C0C6E338BFF25349D82A1CC75.cert.pem

*.rna.nl.A10E0E1DDF1AC21C0C6E338BFF25349D82A1CC75.chain.pem

*.rna.nl.A10E0E1DDF1AC21C0C6E338BFF25349D82A1CC75.concat.pem

*.rna.nl.A10E0E1DDF1AC21C0C6E338BFF25349D82A1CC75.key.pem

- Then I could select this certificate in Server.app to secure my services.


The problem I now seem to have is with Apple's Keychain setup. If I add the new wildcard certificate to the System Keychain with Keychain Access, I only get three files; the .key.pem file is missing (which is rather essential to secure the service).


Alternatively, I could try to add the wildcard certificate via Server.app's popup panel as you say:

When you add the server certificate and private key and public copy of your self-signed rootCA to your server via Server.app it will automatically copy them to the servers System keychain and /etc/certificates.

But this panel refuses to accept the certificate. It is not recognised as an identity certificate. I would have to get it accepted as an identity certificate and add the key, but so far Server.app has thwarted me.

What really bugs me is that I got around this in 2013. Maybe some updates after that period have changed OS X 10.8.5 / Server 2.2.5, but I need to get around.


BTW, one reason I am using a wildcard certificate is that for the internal approaches (I'm running a split DNS) the different domains are all hosted on the same machine and it is sometimes rather unpredictable for me which machine is reported. So, if the outside world addresses the mail server as foo.mydomain.tld the internal clients will access the same server also as foo.mydomain.tld but the IP address might reverse-resolve to bar.mydomain.tld. I forget the different scenario's but in 2013 I went for a wildcard certificate and that made life very easy.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Mar 21, 2016 7:26 AM in response to Gerben Wierda

As I mentioned you add the certificates via Server.app and it adds them to your System keychain. You do not add them to the System keychain and then hope it adds them correctly to /etc/certificates.


  • Launch Server.app
  • Click on Certificates on the left
  • Click on the + symbol at the bottom
  • Select 'Import a Certificate Identity…'
  • Drag the three individual files in to the window


Before you try doing this again make sure to remove the current broken entries from Server.app and/or System keychain. This should also remove them from /etc/certificates.


I had two .crt files, one for the self-signed rootCA, one for the server certificate, and one .pem file which is the private key to match the server certificate. (In your case to match the wildcard certificate.)

Reply
User profile for user: Gerben Wierda
Gerben Wierda Author
User level: Level 2
285 points

Mar 21, 2016 7:25 AM in response to John Lockwood

I found the problem. I indeed had to go via the Server.app "Import an Identity" panel (as you said). But there is still a snag: if you add the identity certificate first, the certificate gets added as non-identity (third slot). But if I first add the key, and then the identity, the identity certificate is recognised as such. This was the missing piece of information (and rather unexpected, I must say, why should the panel behave differently depending on the order you drop things on it and why then is it (counterintuitively) the second item you must drop first for it to work?


Some other things I noticed:

- Ater doing it key-first, Server.app not only added the certificate, but it also immediately replaced it for the services for which it was in use (e.g. it adapted /Library/Server/Mail/Config/postfix/main.cf). It was apparenty smart enough to recognise that it was a newer certificate for the same identity and took action.

- As a result of the import, the 4 files of the previous identity disappeared from /etc/certificates/

- I tested adding the pk12 file (which contains both certificate and key), but Server balks at that. Keychain Access also balks on it as it is unable to decrypt it for some reason. I am quite certain that I had to do that in 2013 (as there now is no reason anymore to produce it)

- I tested adding both the .crt file (x509) and the .pem file for the certificate, but with the .pem file it failed. It seemed that the certificate was added and Server.app did not complain and showed it, but it was added as an extra to /etc/certificates without the key file (again) and the services were not reconfigured.

- Keychain.app and Server.app both list the old and the new identity. So Server.app adds it to /etc/certificates and the System Keychain


In short, the missing information was: if you add the certificate and its key via the "Import" panel of Server.app, first add the key.

Reply

Creating my own Certificate Authority, signed certificates, and using these

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up