Creating my own Certificate Authority, signed certificates, and using these
I am stupid. Three years back, I created my own CA and my own wildcard certificate for my OS X Server (still 10.8.5 with Server 2.2.5). I install my public Root CA on clients that make use of my server. A these need to be updated not that often and the work is complex, so I created a CA vault to work from with a couple of scripts and an openssl configuration. What I did forget is document how to get these used by Server.app. Which is why I am stupid, as I have difficulty reproducing what I did and found out three years ago.
I am using two scripts. (MYNAME, mydomain and tld are generic strings, of course in reality I am using my own name and mydomain.tld)
The first is for creating a root CA:
#!/bin/bash
# Only edit these:
mycaname="MYNAME Certificate Authority"
myrootname=mydomaincaroot
# Run in current dir:
mydir=`pwd`
mkdir RootCert >/dev/null 2>&1
if [ ! -e "$mydir"/RootCert/"$myrootname".key -o \
-e "$mydir"/RootCert/"$myrootname".crt ]
then
openssl req -config "$mydir"/openssl.cnf \
-new -x509 \
-keyout "$mydir"/RootCert/"$myrootname".key \
-out "$mydir"/RootCert/"$myrootname".crt \
-days 3650
openssl pkcs12 -export -clcerts \
-inkey "$mydir"/RootCert/"$myrootname".key \
-in "$mydir"/RootCert/"$myrootname".crt \
-out "$mydir"/RootCert/"$myrootname".p12 \
-name "$mycaname"
echo "Now import ""$mydir""/RootCert/""$myrootname"".p12 in KeyChain"
echo "For this, unlock the System KeyChain first, then import"
echo "NOTE: this imports your private key in the System Keychain"
echo "So it can be used for signing activities."
echo "This is less safe then keeping your private key on media that"
echo "cannot be accessed from the system, like a safely stored USB stick"
else
echo "Your root CA crt and key already exist! I will not overwrite this"
echo "as this could overwrite a still used private key and lose you access"
echo "to signed certificates, e.g. for revoking them"
fi
And the one to create the signed *.mydomain.tld certificate is this:
#!/bin/bash
#Edit only this:
myrootname=mydomaincaroot # basename of your rootca files
mydomainname=mydomain.tld # basename of your domain cert files and of the wildcard
mydir=`pwd` # run in current directory
qdays=1095 # standard lifetime for a cert: 3 years
if [ -d RootCert -a -e RootCert/"$myrootname".key \
-a -e RootCert/"$myrootname".crt ]
then
mywildcardcertname=wildcard.$mydomainname.crt
mkdir LeafCert LeafCert/newcerts LeafCert/certs LefCert/crl >/dev/null 2>&1
rm -f "$mydir"/"$mydomainname-req".*
echo "***************"
echo "* Creating certificate signing request. Enter *.$mydomainname for Common Name."
echo "***************"
echo
sleep 1
if openssl req -config "$mydir"/openssl.cnf -new \
-keyout "$mydir"/"$mydomainname-req".key \
-out "$mydir"/"$mydomainname-req".csr \
-days "$days"
then
myserial=`cat LeafCert/serial`
cat "$mydir"/"$mydomainname-req".key \
"$mydir"/"$mydomainname-req".csr \
> "$mydir"/"$mydomainname-req".pem
if openssl ca -config "$mydir"/openssl.cnf \
-policy policy_anything \
-cert "$mydir"/RootCert/"$myrootname".crt \
-keyfile "$mydir"/RootCert/"$myrootname".key \
-out "$mydir"/LeafCert/"$mydomainname".pem \
-infiles "$mydir"/"$mydomainname-req".pem
then
mv -f "$mydir"/"$mydomainname-req".* "$mydir"/RequestBackups
openssl x509 -outform pem \
-in LeafCert/newcerts/$myserial.pem \
-out LeafCert/certs/$mywildcardcertname
openssl pkcs12 -export \
-inkey "$mydir"/RequestBackups/"$mydomainname-req".key \
-in "$mydir"/LeafCert/certs/$mywildcardcertname \
-name $mydomainname \
-out "$mydir"/RequestBackups/"$mydomainname".p12
else
echo "Signing $mydir/$mydomainname-req.pem failed"
fi
else
echo "Creating $mydir/$mydomainname-req.pem failed"
fi
else
echo "Missing RootCert directory"
echo "Directory RootCert and files RootCert/""$myrootname"".key and ""$myrootname"".crt should exist"
fi
I end up with a couple of files:
./LeafCert/mydomain.tld.pem (last generated pem, identical to ./LeafCert/newcerts/<serialno>.pem
./LeafCert/certs/wildcart.mydomain.tld.crt
The last one is my new signed-by-my-own-rootCA wildcard certificate. I have two questions.
- I forgot the next steps. How do I get this imported in Server.app? When I click import and drop the .crt or .pem file it doesn't get recognized as a certificate, but as a non-identity certificate. Apparently, three years ago I found out what I had to do, but forgot to write it down (stupid). I tried going via KeychainAccess, but was unable to get the same result as what is in the keychain now (trusted *.mydomain.tld certificate with private key)
- The certificates are still SHA-1 and in a while I'll have to upgrade to a newer OS X and Server version which I believe only accepts SHA-2. How do I change my procedure to get SHA-2 hashes?
Thanks in advance for any real guru that can help me out.
Mac mini, OS X Mountain Lion (10.8.5), OS X Server