Chapter 4 Enhancing Security 65
Creating a Self-Signed Certicate
A self-signed certicate is generated at server setup. Although it is available for use,
you may want to customize the information in the certicate, so you would create a
new self-signed certicate. This is especially important if you plan on having a CA sign
your certicate.
When you create a self-signed certicate, Certicate Manager creates a private–public
key pair in the System keychain with the key size specied (512 - 2048 bits). It then
creates the corresponding self-signed certicate.
If you’re using a self-signed certicate, consider using an intermediate trust for it and
import the certicate into the System keychain on all client computers (if you have
control of the computers). For more information about using intermediate trust,
see “About Intermediate Trust” on page 61.
To create a self-signed certicate:
1 In Server Admin, select the server that has services that support SSL.
2 Click Certicates.
3 Click the Add (+) button and choose Create a Certicate Identity.
Certicate Assistant launches, populated with information needed to generate the
certicate.
4 If you override the defaults, choose “Let me override defaults” and follow the onscreen
instructions.
5 When nished, click Continue.
6 Conrm the certicate creation by clicking Continue.
The Certicate Assistant generates a key pair and certicate. Certicate Manager
encrypts the les with a random passphrase, puts the passphrase in the System
keychain, and puts the resulting PEM les in /etc/certicates/.
Requesting a Certicate from a Certicate Authority
Certicate Manager helps you create a CSR to send to your designated CA.
You need a certicate for the CA to sign. You can use the one that was generated at
server setup, but more likely you will want to generate one that has all the details
the CA requires before signing. If you need to generate a certicate before getting it
signed, see “Creating a Self-Signed Certicate” on page 65.
To request a signed certicate:
1 In Server Admin, select the server that has services that support SSL.
2 Click Certicates.
3 Select the certicate you want signed.
