[MacTUG] Lessons Learned in OS X Server Mountain Lion: Lessons Learned Re: Certificates

Donald Duff-McCracken dsmccrac at uwaterloo.ca
Tue Feb 12 09:19:38 EST 2013 

I have decided to bore you all by documenting all the stupid things I have done as I play with OS X Server Mountain Lion. My goal is to replace my 'golden triangle' Snow Leopard Server for Mac AD authentication.

This is regarding  Certificates. It is a particularly noobbish lesson as I am new to Mountain Lion Server, and while I familiar with the operation of certificates I have never needed to use Certificates before on my Mac Servers. Certificates are important now because of how the Golden Triangle has been replaced with some other 'precious metal polygon' that no one has come up for a name with.

Let me backtrack a moment and remind you that a golden rectangle is what you get when you bind the client to AD and OD and you bind the Mac to AD: You get this nice three way partnership.

This has been replaced by a slightly more complex relationship, and Apple (as an entity) has become involved in this partnership. One enables push notifications with apple and these services are used to negotiate the relationships between the client and your mac server. This is basically why we need a proper certificate because we need to ensure we have a trusted relationship between your server and apple, and so the client knows they are talking to whom they should be talking to (so that you are not getting any man in the middle action, for example).

So we need a certificate installed on the Mac Server. What is the first lesson that Don learned? -- BTW, a 'lesson' is a mistake he made that he learned from ;-)

Lesson #1 -- Back up your public and private certificates (plus your CSR – certificate signing request): Frequently, when I am testing a new operating system, I will try some things out and get to a point where I want to 'start fresh' and reinstall the operating system. This happened this time and I quickly started to rebuild the OS of the Server, thinking I would be up and running in no time. I had forgotten to squirrel away my private key for my certificate. I had the CSR and the public key, but not the private key. You generate the private key and then use it to create the CSR. I had saved the CSR as it gets sent to the signing authority, so I had a copy of it on my notepad. You get back the public key but it is meaningless without the private key. So make sure you have all three nicely tucked away in a SECURE place.

Lesson #2 — the curse of TextEdit: I hate TextEdit and 90% of the time I use TextWrangler (and then for the remaining 10% of the time I usually wish I had!!). This is one of those cases as I spent hours wondering what the problem was before I realized it was being caused by textedit. I had received the public key in the email, and from what I had read I was merely to drag it onto a GUI window that pops up when you choose "Create a Certificate Identity" from the Certificate pane of the Server App. So I copied and pasted the text into a TextEdit file and saved it. Big mistake as I forgot that TextEdit saves files in RTF format by default! When I pasted it into TextWrangler (or if I had used VI) it worked fine and it read the public key and (and I think the Intermediate key) that was in the email body. I realized this when I dragged my private key onto the GUI Window and it worked fine and looked at my private key using the 'More' unix command. I then looked at my public key TextEdit file using the More command and realized it was RTF gobbledygook!

So now I have a nicely certificate equipped test server and can begin the rest of my tests!

don
------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
https://uwaterloo.ca/environment-computing/about/people/donald-duff-mccracken

------------
To request help from MAD please use Request Tracker. For info see:
https://rt.uwaterloo.ca/~wwwrt/cgi-bin/rtuser.pl

------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20130212/d5a1f8ab/attachment.html>

More information about the MacTUG mailing list