Chapter 3 Mail Service Advanced Conguration 69
Using an SSL Certicate from an External Certicate Authority
If you do not have a valid certicate, you can acquire one from a certicate authority
and add it to the System keychain:
Generate a Certicate Signing Request (CSR)
A CSR is a le that provides information needed to issue an SSL certicate.
1 Log in to the server as root locally through Terminal or remotely via ssh.
2 Enter the following commands:
$ cd /private/var/root/Library/Keychains/
$ /usr/bin/certtool r csr.txt k=certkc c
This use of the certtool tool begins an interactive process that generates a CSR in
the le csr.txt and creates a keychain named certkc.
3 In the New Keychain Passphrase dialog that appears, enter a password for the keychain
you’re creating, enter the password a second time to verify it, and click OK.
Remember this password, because later you must supply it again.
4 When “Enter key and certicate label” appears in the Terminal window, enter a one-
word key, a blank space, and a one-word certicate label, and then press Return.
For example, you could enter your organization’s name as the key and mailservice as
the certicate label.
The following output appears.
Please specify parameters for the key pair you will generate.
r RSA
d DSA
f FEE
Select key algorithm by letter:
5 Enter r, and then press Return.
The following output appears.
Valid key sizes for RSA are 512..2048; default is 512
Enter key size in bits or CR for default:
6 Enter a key size, and then press Return.
Larger key sizes are more secure, but they require more processing time on your server.
Key sizes smaller than 1024 aren’t accepted by some certicate-issuing authorities.
The following output appears.
You have selected algorithm RSA, key size (size entered above) bits.
OK (y/anything)?
7 Enter y, and then press Return.
The following output appears.
Enter cert/key usage (s=signing, b=signing AND encrypting):
