Configuring SSL Certificates

This chapter is from the book

OS X Server 5.0 Essentials - Apple Pro Training Series: Using and Supporting OS X Server on El Capitan, 3rd Edition

Learn More Buy

This chapter is from the book

This chapter is from the book 

OS X Server 5.0 Essentials - Apple Pro Training Series: Using and Supporting OS X Server on El Capitan, 3rd Edition

Learn More Buy

Exercise 4.3 Configure Your Client Computer to Trust an SSL Certificate

In a production environment, it is best to use a valid SSL certificate that’s been signed by a trusted CA. If that isn’t possible, you should configure your users’ computers and devices to trust your server’s certificate so that your users do not get into the habit of configuring their devices to trust unverified SSL certificates.

This lesson shows you how to configure an individual computer to trust your server’s OD CA; it is beyond the scope of this exercise to show you how to replicate the end result on multiple computers and devices.

Turn On the Web Service Temporarily

Turn on your server’s Websites service so you can quickly access the SSL certificate your server’s services use.

1. In the Server app sidebar, rest the pointer over the word Websites, Control-click Websites, and then choose Start Websites Service.

   

Visit Your Server’s Website Protected by SSL

In this exercise, you will use your client computer and confirm that you are using your server’s DNS service; otherwise, you will not be able to connect to its web service using its host name. Then you’ll open Safari to your server’s default HTTPS website. Finally, you’ll configure your client computer to trust the SSL certificate.

1. On your client computer, open System Preferences.
2. Open the Network pane.

3. Select the active network service, and confirm that your server’s IP address is listed for the DNS Service value.

   If you are using Wi-Fi, you need to click Advanced, click the DNS tab to view the DNS Service value, and then click Cancel to close the Advanced pane.

4. Quit System Preferences.

5. On your client computer, open Safari, and in the Address and Search field, enter https://servern.pretendco.com (where n is your student number).

   

   Click to view larger image

6. Press Return to open the page.

Your certificate is not signed by a CA that your client computer is configured to trust, so you’ll see a message that Safari can’t verify the identity of the website.

Configure Your Client Computer to Trust This SSL Certificate

Once you see the dialog that Safari can’t verify the identity of the website, you can click Show Certificate and configure the currently logged-in user to trust the SSL certificate used by the website.

1. Click Show Certificate.

2. Note that the certificate with your server’s host name is marked in red with “This certificate was signed by an untrusted issuer.”

   

   Click to view larger image

3. In the certificate chain, select your OD CA.

   

   Click to view larger image

4. Click the Details disclosure triangle, and inspect the details.

5. Select the checkbox “Always trust Pretendco Project n Open Directory Certificate Authority” (where n is your student number).

   

   Click to view larger image

6. Click Continue.

7. Provide your login credentials, and click Update Settings.

   This updates the settings only for the currently logged-in user; this does not affect any other user on this computer.

8. Confirm the Safari Address and Search field displays a lock icon, which indicates that the page was opened using SSL.

   

   Click to view larger image

9. Keep Safari open for the next section of this exercise.

Confirm That Your Mac Trusts the SSL Certificate

To view the SSL certificate the Websites service is using, perform the following steps.

1. In the Safari Address and Search field, click the lock icon.
2. In the pane that informs you that Safari is using an encrypted connection, click Show Certificate.

3. Confirm that the certificate is listed as valid with a green checkmark.

   

   Click to view larger image

   NOTE

   If you see a blue icon instead of a green checkmark, and you don’t see the certificate chain, it’s likely that you trusted the server certificate instead of the CA certificate. Click OK, quit Safari, open Keychain Access, select All Items in the Category column, enter your server’s host name in the Search field, select your server’s certificate, press Delete, then at the confirmation dialog, click Delete, provide local administrator credentials then click Update Settings. Quit Keychain Access. Repeat the steps of this exercise, starting with the section “Visit Your Server’s Website Protected by SSL.”

4. Press Command-Q to quit Safari.

Clean Up

To ensure that the rest of the exercises are consistent, turn off the Websites service.

1. On your server computer, in the Server app sidebar, select the Websites service, and Click the on/off switch to turn the service off.

2. Confirm that no green status indicators appear next to the Websites service.

   This indicates that the service is off.

You confirmed that your server’s default web service uses the SSL certificate you configured in the previous exercise. You confirmed that by trusting a CA, you trust a certificate that was signed by an intermediate CA that was signed by the CA (at least for the currently logged-in user).