Buy ED pillss without a prescriptionBuy 100 mg Viagra Cialis LevitraSale Erectile Dysfunction Pills Visa, Echeck
How to Use Signed SSL Certificates in OS X Server 10.5 | Netmojo Systems

Technology
From the Trenches

Signed SSL Certificates in OS X Server 10.5

Posted on Saturday, December 4th, 2010 at 16:34 MST by Brent Kearney

Using signed SSL certificates in Mac OS X Server 10.5 is a bit of a black art. In this article I describe how it’s done. Some services, such as the web service, work fine with signed certificates by default. However, the iChat (jabber), iCal (caldav), Mail (postfix/cyrus), and possibly other services do not work properly without some additional work on the command line (“Terminal”).

The problem in OS X Server 10.5 is that the System Admin app fails to provide decrypted private keys, and points some services to a certificate that doesn’t work for that service. The result is that those services will fail to allow connections over SSL.

I will describe how to fix the Mail, iChat and iCal services. The solution is basically the same for them all: decrypt the private key and replace the encrypted version in the combined certificate-key file, then update the service’s settings to use the proper certificate.

1. Import the Signed SSL Certificates

The first step is to import your signed certificates into the Server Admin -> Certificates area, which adds them to the System.keychain and adds some files to /etc/certificates. This step could probably be skipped by the adventurous, but I don’t recommend it. When you import the certificates with Server Admin you will be able to use Server Admin to configure the services to use your new signed certificates, which makes life easier, even though those services will need some slight tweaking before they work with SSL.

When importing, avoid these pitfalls: after you delete an existing certificate, be sure to click the Save button. Importing a certificate of the same name as a previously deleted certificate (if you haven’t clicked Save) will cause an uninformative error message. After you add, delete or import any certs, hit Save. When you’re done working in the Certificates area, quit Server Admin and restart it, because the other sections do not refresh the certificate drop-downs without restarting the app.

2. Setting up Mail Server with Signed SSL Certificates

  1. In Server Admin, go to Mail -> Settings -> Advanced and choose the signed certificates that you want to use for mail from the drop-down menus. Save, restart mail.
  2. You will likely see errors like this in /var/log/mail.log:

    Dec 2 16:56:35 macserver postfix/smtpd[1557]: warning: TLS library problem: 1557:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709:

    And ones like this in /var/log/mailaccess.log:

    Dec 2 21:54:32 macserver imaps[28863]: TLS server engine: cannot load CA data
    Dec 2 21:54:32 macserver imaps[28863]: imaps TLS negotiation failed: [123.456.789.123]

    This is because by default the private key is encrypted. This is a problem for both SMTP (Postfix) and POP/IMAP (Cyrus) services.
  3. Open Terminal or SSH to the server or however you like to do it. You’ll need the password for the private key to decrypt it. In my case, the signed certificate for the mail service is named “mail.netmojo.ca*” — adjust as appropriate for the names that you choose.
    $ cd /etc/certificates
    $ ls -l mail*
    -rw-r–r– 1 root wheel 1744 Dec 3 20:50 mail.netmojo.ca.chcrt
    -rw——- 1 root wheel 1598 Dec 3 22:16 mail.netmojo.ca.crt
    -rw-r—– 1 root certusers 2485 Dec 3 22:28 mail.netmojo.ca.crtkey
    -rw-r—– 1 root certusers 887 Dec 3 22:15 mail.netmojo.ca.key
    $ sudo -s
    # openssl rsa -in mail.netmojo.ca.key -out mail.netmojo.ca.key.decrypted
    [enter mail certificate private key password]
    # chown root:certusers mail.netmojo.ca.key.decrypted
    # chmod 640 mail.netmojo.ca.key.decrypted

    A decrypted version of the private key is now in mail.netmojo.ca.key.decrypted.

  4. Replace the encrypted key in the .crtkey file with the decrypted version.
    # mv mail.netmojo.ca.crtkey mail.netmojo.ca.crtkey.org
    # cat mail.netmojo.ca.crt mail.netmojo.ca.key.decrypted >> mail.netmojo.ca.crtkey
    # chown root:certusers mail.netmojo.ca.crtkey
    # chmod 640 mail.netmojo.ca.key.crtkey
  5. Now update the SMTP configuration to use the decrypted private key. The default IMAP configuration doesn’t need to be changed, because the .crtkey file now contains the decrypted private key instead of the encrypted version.
    # serveradmin settings mail | grep postfix | grep key
    . . .
    # mail:postfix:smtpd_tls_key_file = “/etc/certificates/mail.netmojo.ca.key”
    . . .
    # serveradmin set mail:postfix:smtpd_tls_key_file = “/etc/certificates/mail.netmojo.ca.key.decrypted”
    # serveradmin stop mail
    # serveradmin status mail
    [ wait until it's actually stopped ]
    # serveradmin start mail

    SMTP and POP/IMAP over SSL should work now.

3. Setting up iChat Server with Signed SSL Certificates

The process here is essentially the same as above, only for the ichat certificates and the iChat (Jabber) service.

  1. Go to Server Admin -> iChat -> Settings and select your new certificate from the “SSL Certificate” drop-down menu. Click Save, and restart iChat. You will probably see one or all of these in your “iChat Service Log” (/var/log/system.log):

    Dec 3 21:09:15 macserver jabberd/router[42892]: [127.0.0.1, port=56551] error: SSL handshake error (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol)
    Dec 3 21:17:32 macserver jabberd/c2s[46333]: failed to load local SSL pemfile, SSL will not be available to clients
    Dec 3 21:17:32 macserver jabberd/c2s[46333]: failed to load router SSL pemfile, channel to router will not be SSL encrypted

    And you won’t be able to connect with a client using SSL (but you will without SSL).
  2. Next, you need to decrypt the private key. You will need the private key password for your iChat certificate. SSH to the server or open Terminal on the server.
    $ cd /etc/certificates
    $ ls -l ichat*
    -rw-r–r– 1 root wheel 1744 Dec 3 20:50 ichat.netmojo.ca.chcrt
    -rw——- 1 root wheel 1598 Dec 3 22:16 ichat.netmojo.ca.crt
    -rw-r–r– 1 root certusers 2485 Dec 3 22:28 ichat.netmojo.ca.crtkey
    -rw-r—– 1 root certusers 887 Dec 3 22:15 ichat.netmojo.ca.key

    $ sudo -s
    # openssl rsa -in ichat.netmojo.ca.key -out ichat.netmojo.ca.key.decrypted
    [enter ichat certificate private key password]
    # chown root:certusers ichat.netmojo.ca.key.decrypted
    # chmod 640 ichat.netmojo.ca.key.key.decrypted

    A decrypted version of the private key is now in ichat.netmojo.ca.key.decrypted.

  3. Replace the encrypted key in the .crtkey file with the decrypted version.
    # mv ichat.netmojo.ca.crtkey ichat.netmojo.ca.crtkey.org
    # cat ichat.netmojo.ca.crt ichat.netmojo.ca.key.decrypted >> ichat.netmojo.ca.crtkey
    # chown root:certusers ichat.netmojo.ca.crtkey
    # chmod 640 ichat.netmojo.ca.key.crtkey
  4. Next you need to adjust a setting in the Jabber configuration:
    # serveradmin settings jabber | grep ssl
    jabber:sslCAFile = “/etc/certificates/ichat.netmojo.ca.chcrt”
    jabber:sslKeyFile = “/etc/certificates/ichat.netmojo.ca.crtkey”

    I’m not sure why, but Jabber doesn’t work with the chcrt file as the CA – instead it needs the plain crt file.

    # serveradmin set jabber:sslCAFile = “/etc/certificates/ichat.netmojo.ca.crt”
    # serveradmin stop jabber
    # serveradmin status jabber
    [ wait for it to actually stop ]
    # serveradmin start jabber

    iChat over SSL should work now.

4. Setting up iCal Server with Signed SSL Certificates

The iCal service requires the same treatment as the iChat service: decrypt the private key, replace the encrypted key in the .crtkey file, then update the CA setting to use the .crt file instead of the .chcrt file.

  1. Go to Server Admin -> iCal -> Settings and select your new certificate from the “SSL Certificate” drop-down menu. Click Save, and restart iCal. You will probably see this in your “iCal Service Log” (/var/log/caldav/error.log):

    2010-12-03 23:10:16-0700 [-] [caldav-8010] [-] OpenSSL.SSL.Error: [('x509 certificate routines', 'X509_check_private_key', 'key values mismatch')]

    And you won’t be able to connect with a client using SSL (but you will without SSL).
  2. Instead of copying & pasting the private key decryption process again, I trust that you can do the same thing as in the iChat section (3b & c) above, only with the ical certificate.
  3. Once you have a decrypted private key in your ical .crtkey file, which I named ical.netmojo.ca.crtkey, then you need to update the calendar service settings:
    # serveradmin settings calendar | grep -i ssl
    . . .
    calendar:SSLPrivateKey = “/etc/certificates/ical.netmojo.ca.crtkey”
    calendar:SSLCertificate = “/etc/certificates/ical.netmojo.ca.crt”
    calendar:SSLAuthorityChain = “/etc/certificates/ical.netmojo.ca.chcrt”
    . . .
    # serveradmin set calendar:SSLAuthorityChain = “/etc/certificates/ical.netmojo.ca.crt”
    # serveradmin stop calendar
    # serveradmin status calendar
    [ wait for it to actually stop ]
    # serveradmin start calendar

    iCal over SSL should work now.

I welcome any comments or questions you may have.

4 Responses to “Signed SSL Certificates in OS X Server 10.5”

  1. Brent Kearney Says:

    By the way, if you are looking for a tutorial on setting up your own signing authority (CA) to sign your own certificates, this old guide on AFP.com is still applicable:

    http://www.afp548.com/article.php?story=20040722080720854

    The X509Anchors keychain is no longer used, however. You can distribute your CA to clients over the network, and use the new “security” command to install it in their System.keychain in a trusted state:

    sudo security add-trusted-cert -k “/Library/Keychains/System.keychain” -d MyCAfile.crt
  2. peet1 Says:

    Big, Big, Big thanks.

    Peet

  3. Tommy L Says:

    Nothing will ever be 100% secure.

  4. Brent Says:

    10.6 (Snow Leopard) Server is much, much easier to set up with self-signed certificates. Here’s how:

    1. Import your CA private key in Server Admin -> Certificates.

    2. Open Keychain Access -> System keychains, and change the Trust level to Always Trust.

    3. Import your signed certificates + their private keys in Server Admin -> Certificates.

    4. Select the certificate you want for each service in their respective settings panels.

    Big improvement, Apple!