Configuring SSL Certificates

This chapter is from the book

OS X Server 5.0 Essentials - Apple Pro Training Series: Using and Supporting OS X Server on El Capitan, 3rd Edition

Learn More Buy

This chapter is from the book

This chapter is from the book 

OS X Server 5.0 Essentials - Apple Pro Training Series: Using and Supporting OS X Server on El Capitan, 3rd Edition

Learn More Buy

Exercise 4.2 Configure an Open Directory Certificate Authority

When you configure your server as an Open Directory (OD) master, the Server app automatically creates an OD CA, an intermediate CA, a signed certificate, and a code signing certificate that you can use with the Profile Manager service. When you enroll your Mac computer or your iOS device with your server’s Profile Manager service, your computer automatically trusts your server’s OD CA. Additionally, if you bind your Mac to your OD server, it automatically trusts your server’s OD CA. This guide has not yet covered binding or enrolling, so in Exercise 4.3, “Configure Your Client Computer to Trust an SSL Certificate,” you will use Safari to configure your client computer to trust your server’s OD CA.

In this exercise, you will configure your OD CA. You will examine the new CA, the intermediate CA, and two new certificates and verify that the Server app automatically removes your server’s old default self-signed certificate, updates services to use the certificate signed by the intermediate CA, and configures your server to trust the new certificates.

Configure Open Directory

Because the Server app creates keychain entries on your server, perform the following steps on your server.

Correct DNS records are crucial to the proper functioning of Open Directory services, so double-check DNS before starting the Open Directory service.

1. On your server computer, open Network Utility (use Spotlight if necessary).
2. Click the Lookup tab.
3. Enter your server’s host name in the field (servern.pretendco.com, where n is your student number), and then click Lookup.
4. Confirm that your server’s IPv4 address is returned.
5. Enter your server’s primary IPv4 address in the field (10.0.0.n1, where n is your student number), and then click Lookup.
6. Confirm that your server’s host name is returned.

Once you’ve confirmed your DNS records, configure your server as an Open Directory master.

1. In the Server app sidebar under the Advanced section, select Open Directory.
2. Click the on/off switch to turn on the Open Directory service (or in the Server app sidebar, Control-click Open Directory, and choose Start Open Directory Service).
3. Select “Create a new Open Directory domain,” and click Next.
4. In the Directory Administrator pane, leave the checkbox “Remember this password in my keychain” selected.

5. Enter and verify a password.

   If your server is not accessible from the Internet, in the Directory Administrator pane, enter diradminpw in the Password and Verify fields.

   Of course, in a production environment, you should use a secure password and consider using an account name different from the default “diradmin” so that it is more difficult for unauthorized people to guess the username and password combination.

6. Click Next.

7. In the Organization Information pane, enter the appropriate information.

   If the following fields do not already contain the information shown, enter it, and click Next.

   • Organization Name: Pretendco Project n (where n is your student number)
   • Admin Email Address: ladmin@servern.pretendco.com (where n is your student number)

8. View the Confirm Settings pane, and click Set Up.

   The Server app displays its progress in the lower-left corner of the Confirm Settings pane.

   When it has completed the configuration, the Server app displays the Settings tab of the Open Directory pane, with your server listed as the master in the Servers list.

   

   Click to view larger image

Inspect the OD Certificates

Inspect the certificates that the Server app automatically created.

1. In the Server app sidebar, select Certificates.

2. Confirm that the “Secure services using” pop-up menu is no longer set to a self-signed certificate but rather a certificate signed by your server’s OD intermediate CA.

   

   Click to view larger image

3. Confirm that the self-signed certificate is no longer listed in the Certificates field.

4. Double-click the certificate with your server’s host name, signed by your OD intermediate CA (the first entry in the Certificates field).

   

   Click to view larger image

5. Confirm that the value for the “Issued by” field has a value made up of the following strings:

   • “IntermediateCA_”
   • Your server’s host name in all capital letters
   • “_1”
6. Click OK to close the certificate information pane.
7. Double-click the code signing certificate (the second entry in the Certificates field).
8. Confirm that this is also issued by your OD intermediate CA.

Use Keychain Access to inspect your OD CA, your OD intermediate CA, and the two signed certificates.

1. On your server, use a Spotlight search to open Keychain Access.
2. In the Keychains column, select System.
3. In the Category column, select My Certificates.

4. Select your OD CA. Its name is Pretendco Project n Open Directory Certificate Authority (where n is your student number).

   

   Click to view larger image

5. Double-click your OD CA to examine it.

6. Confirm that the second line of text identifies it as “Root certificate authority” and that the Subject Name information matches the Issuer Name information.

   

   Click to view larger image

7. Note that the certificate’s color is bronze, which signifies that it is a root certificate.
8. Click the Trust disclosure triangle to display more details.

9. Confirm that your server is set to always trust this certificate.

   

   Click to view larger image

10. Close the window with the details of your OD CA.
11. Double-click your OD intermediate CA.

12. Confirm that its second line of text identifies it as “Intermediate certificate authority.” Because your server trusts your OD CA and your OD CA signed this intermediate CA, this certificate is marked as valid with a green checkmark.

    Note that the color of the certificate is blue, which signifies that it is an intermediate or leaf certificate.

    

    Click to view larger image

13. Close the window with the details of your OD intermediate CA.
14. Double-click the certificate that contains only your server’s host name.

15. Confirm that the second line of text indicates that it is signed by your OD intermediate CA. Your server is configured to trust your OD CA, which signed your OD intermediate CA, which signed this certificate, so it is marked as valid with a green checkmark.

    

    Click to view larger image

16. Double-click your code signing certificate, inspect it, and close it.
17. Quit Keychain Access.

In this exercise, you configured your server to be an Open Directory master. The Server app automatically configured a new OD CA, intermediate CA, and two new certificates; it removed your server’s old default self-signed certificate, and it updated services to use the certificate signed by the intermediate CA. It automatically configured your server to trust its own OD CA, which means that your server also trusts the OD intermediate CA and the two other certificates that are signed by the OD intermediate CA.