Several keychains can hold certicates:
 SystemRootCerticates: This keychain holds root certicates that ship with
Mac OS X. The certicates already have trust given to them.
 System: This keychain holds certicates that the computer administrator can add. All
users on a given client can read from this keychain. The trust settings of a certicate
in this keychain can override those of a certicate in SystemRootCerticates.
 Any other keychain: This holds certicates for a given user and is only accessible to
that user. The trust settings of a certicate in this keychain can override those of a
certicate in SystemRootCerticates or System.
Trusted certicates can be in any of these locations, but to trust a certicate,
trust settings must be given explicitly to a certicate.
To congure clients to trust a certicate:
1 Copy the self-signed CA certicate (the le named ca.crt) onto each client computer.
This is preferably distributed using nonrewritable media, such as a CD-R. Using
nonrewritable media prevents the certicate from being corrupted.
2 Open the Keychain Access tool by double-clicking the ca.crt icon where the certicate
was copied onto the client computer.
3 Drag the certicate to the System keychain using Keychain Access.
Authenticate as an administrator, if requested.
4 Double-click the certicate to get the certicate details.
5 In the details window, click the Trust disclosure triangle.
6 From the pop-up menu next to “When using this certicate,” select “Always Trust”
You have now added trust to this certicate, regardless of who it is signed by.
From the command line
After copying the certicate to the target client computer, perform the following,
replacing <certicate> with the le path to the certicate:
sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/System.
keychain <certificate>
You can use the security tool to save and restore trust settings as well. For more
information on using the security command-line tool, see the security man page.
Certicate Manager in Server Admin
Mac OS X Server’s Certicate Manager is integrated into Server Admin to help you
create, use, and maintain identities for SSL-enabled services.
62 Chapter 4 Enhancing Security
