Chapter 4 Enhancing Security 69
7 Click the Import button.
If prompted, enter the private key passphrase.
Managing Certicates
After you create and sign a certicate, you won’t do much more with it. Since
certicates cannot be edited, you can either delete, replace, or revoke certicates after
they are created. You cannot change certicates after a CA signs them.
If the information a certicate possesses (such as contact information) is no longer
accurate, or if you believe the private key is compromised, delete the certicate.
If you have previously generated certicates for SSL, you can import them for use by
services. The OpenSSL keys and certicates must be in PEM format.
If you chose custom locations for your SSL certicates with Leopard Server, you must
import them into Certicate Manager if you want them to be available for services.
Custom lesystem locations for certicates cannot be managed for services using
Server Admin for Mac OS X Server v10.6. To use custom le locations, you must edit the
conguration les directly.
When certicates and keys are imported via Certicate Manager, they are put in the
/etc/certicates/ directory. The directory contains four PEM formatted les for every
identity:
The certicate Â
The public key Â
The trust chain Â
The concatenated version of the certicate plus the trust chain (for use with some Â
services)
Each le has the following naming convention:
<common name>.<SHA1 hash of the certicate>.<cert | chain | concat | key>.pem
For example, the certicate for a web server at example.com might look like this:
www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem
After they are imported, Certicate Manager encrypts the les with a random
passphrase. It puts the passphrase in the System keychain, and puts the resulting PEM
les in /etc/certicates/.
Editing a Certicate
After you add a certicate signature, you can’t edit the certicate. You must replace it
with one generated from the same private key.
