Using a CA to Create a Certicate for Someone Else
You can use your CA certicate to issue a certicate to someone else. By doing so you
are stating you want to be a trusted party that can certify the identity of the certicate
holder.
Before you can create a certicate for someone, that person must generate a CSR. The
user can use the Certicate Assistant to generate the CSR and mail the request to you.
You then use the CSR’s text to make the certicate.
To create a certicate for someone else:
1 Start Keychain Access.
Keychain Access is found in the /Applications/Utilities/ directory.
2 In the Keychain Access menu, select Certicate Assistant > Create a Certicate for
Someone Else as a Certicate Signing Authority.
The Certicate Assistant starts, and guides you through the process of making the
certicate.
3 Drag the CSR and drop it on the target area.
4 Choose the CA that is the issuer and sign the request.
You can choose to override the request defaults.
5 Click Continue.
If you override the request defaults, provide the Certicate Assistant with the
requested information and click Continue.
The Certicate is now signed. The default mail application launches with the signed
certicate as an attachment.
Importing a Certicate Identity
You can import a previously generated OpenSSL certicate and private key into
Certicate Manager. The items are listed as available in the list of identities and are
available to SSL-enabled services.
The OpenSSL keys and certicates must be in PEM format.
To import an existing OpenSSL style certicate:
1 In Server Admin, select the server that has services that support SSL.
2 Click Certicates.
3 Click the Add (+) button and choose Import a Certicate Identity.
4 Drag the PEM le containing the private key to the sheet.
5 Drag the PEM le containing the public certicate to the sheet.
6 If needed, drag associated nonidentity certicates to the sheet as well.
68 Chapter 4 Enhancing Security
