Distributing a ca public certificate to clients, Deleting a certificate – Apple Mac OS X Server (Version 10.6 Snow Leopard) User Manual

Page 70

Advertising
background image

For instructions on how to do this, see “Replacing an Existing Certificate” on page 71.

Distributing a CA Public Certificate to Clients

If you’re using self-signed certificates, a warning appears in most user applications
saying that the CA is not recognized. Other software, such as the LDAP client, refuses
to use SSL if the server’s CA is unknown.

Mac OS X Server ships only with certificates from well-known commercial CAs. To
prevent this warning, your CA certificate must be distributed to every client computer
that connects to the secure server.

To distribute your certificate to your clients:

1

Copy the self-signed CA certificate (the file named ca.crt) onto each client computer.

This is preferably distributed using nonrewritable media, such as a CD-R. Using
nonrewritable media prevents the certificate from being corrupted.

2

Open the Keychain Access tool by double-clicking the ca.crt icon where the certificate

was copied onto the client computer.

3

Drag the certificate to the System keychain using Keychain Access.

Authenticate as an administrator, if requested.

4

Double-click the certificate to get the certificate details.

5

In the details window, click the Trust disclosure triangle.

6

From the pop-up menu next to “When using this certificate,” select “Always Trust.”

You have now added trust to this certificate, regardless of who it is signed by.

From the command line
After copying the certificate to the target client computer, perform the following
where <certificate> is the file path to the certificate:

sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/System.

keychain <certificate>

You can use the security tool to save and restore trust settings as well. For more
information on using the

security

tool, see the

security

man page.

Deleting a Certificate

When a certificate has expired or been compromised, you must delete it.

To delete a certificate:

1

In Server Admin, select the server that has services that support SSL.

2

Click Certificates.

3

Select the Certificate Identity to delete.

4

Click the Remove (-) button and select Delete.

70

Chapter 4

Enhancing Security

Advertising
See also other documents in the category Apple Software: