When certicates and keys are imported via Certicate Manager, they are put in the
/etc/certicates/ directory. The directory contains four PEM formatted les for every
identity:
The certicate Â
The public key Â
The trust chain Â
The concatenated version of the certicate plus the trust chain (for use with some Â
services)
The certicate and trust chain are owned by the root user and the wheel group, with
permissions set to 644. The public key and concatenation le are owned by the root
user and the certusers group, with permissions set to 640.
Each le has the following naming convention:
<common name>.<SHA1 hash of the certicate>.<cert | chain | concat | key>.pem
For example, the certicate for a web server at example.com might look like this:
www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem
Readying Certicates
Before you can use SSL in Mac OS X Server’s services, you must create or import
certicates. You can create self-signed certicates, create certicates and then generate
a Certicate Signing Request (CSR) to send to a CA, or import certicates previously
created with OpenSSL.
If you have previously generated certicates for SSL, you can import them for use by
Mac OS X Server services. The OpenSSL keys and certicates must be in PEM format.
Select a CA to sign your certicate request. If you don’t have a CA to sign your request,
consider becoming your own CA and then import your CA certicates into the root
trust database of your managed machines.
When you set up Mac OS X Server, the Server Assistant creates a self-signed certicate
based on information you provided when it’s rst installed. It can be used for any
service that supports SSL. When your clients choose to trust the certicate, SSL
connections can be used without user interaction from that point on.
This initial self-signed certicate is used by Server Admin and Server Preferences to
encrypt administrative functions.
64 Chapter 4 Enhancing Security
