For instructions on how to do this, see “Replacing an Existing Certicate” on page 71.
Distributing a CA Public Certicate to Clients
If you’re using self-signed certicates, a warning appears in most user applications
saying that the CA is not recognized. Other software, such as the LDAP client, refuses
to use SSL if the server’s CA is unknown.
Mac OS X Server ships only with certicates from well-known commercial CAs. To
prevent this warning, your CA certicate must be distributed to every client computer
that connects to the secure server.
To distribute your certicate to your clients:
1 Copy the self-signed CA certicate (the le named ca.crt) onto each client computer.
This is preferably distributed using nonrewritable media, such as a CD-R. Using
nonrewritable media prevents the certicate from being corrupted.
2 Open the Keychain Access tool by double-clicking the ca.crt icon where the certicate
was copied onto the client computer.
3 Drag the certicate to the System keychain using Keychain Access.
Authenticate as an administrator, if requested.
4 Double-click the certicate to get the certicate details.
5 In the details window, click the Trust disclosure triangle.
6 From the pop-up menu next to “When using this certicate,” select “Always Trust.”
You have now added trust to this certicate, regardless of who it is signed by.
From the command line
After copying the certicate to the target client computer, perform the following
where <certicate> is the le path to the certicate:
sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/System.
keychain <certificate>
You can use the security tool to save and restore trust settings as well. For more
information on using the security tool, see the security man page.
Deleting a Certicate
When a certicate has expired or been compromised, you must delete it.
To delete a certicate:
1 In Server Admin, select the server that has services that support SSL.
2 Click Certicates.
3 Select the Certicate Identity to delete.
4 Click the Remove (-) button and select Delete.
70 Chapter 4 Enhancing Security
