[MacTUG] Installing SHA-256 certs on a 10.9.5 server

Donald Duff-McCracken dsmccrac at uwaterloo.ca
Tue Dec 9 16:19:22 EST 2014 

While my certs are behaving,  for those of you that are installing certs in OS X Server, I am curious as to how are you doing it?

  1.  command line to create the CSR and then dragging the private key, the public key, and the intermediate key into the dialog box for “Import a security identity” - the method I normally use but could not get to work this time
  2.  Using the wizard to create the CSR – the method I did use this time
  3.  Or some other way

I am specifically interested in 10.9.5 servers as it is the first time I could not do it by using the command line to generate the CSR

Don
------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
https://uwaterloo.ca/environment-computing/about/people
------------------------------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.

From: Donald Duff-McCracken <dsmccrac at uwaterloo.ca<mailto:dsmccrac at uwaterloo.ca>>
Date: Tuesday, December 9, 2014 at 11:09 AM
To: MacTUG <mactug at mailman.uwaterloo.ca<mailto:mactug at mailman.uwaterloo.ca>>
Subject: [MacTUG] Installing SHA-256 certs on a 10.9.5 server

The following may only be of interest to those that use signed certificates:

I had not installed certs for a while on a mac server, and a few things have changed since then. One is that SHA-256 certs are now being used and that I had not done it to a 10.9.5 server (and everything seems harder in 10.9.5 haha).

Firstly, a few changes with SHA-256. You are not emailed the intermediate certificate, you download it from the globalsign site. If anything this may be easier but it is different.

Regarding installing the intermediate cert and the public key, I ran into some issues. I used to follow IST’s excellent steps outlining how to create a private key and a CSR<https://uwaterloo.ca/information-systems-technology/services/certificate-authority-support/certificate-authority-details/globalsign-signed-x5093-certificates/self-service-globalsign-ssl-certificates#openssl>. This method was fine for getting the info to globalsign (and generating the public key and intermediate certificate), I ran into problems importing these in to the OS. Usually I select “Import a security identity” (under Certificates in the Server App) and drag the private key, public key and intermediate cert to it. For some reason it was just not working this time. It was not recognizing the public key (and I was creating it the same way I always have of copying it from the email into a text editor like TextWrangler).

After trying to resolve this issue (trying a few ways of saving the public key), I decided to try a second route which worked fine. I used “Create a certificate identity” to have the Server app generate the private key and the CSR. This identity was then labled as ‘pending’ until globalsign sent my the public key. I could then click on this pending certificate identity and import in the public key and the downloaded intermediate cert. This all worked quite well


------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
https://uwaterloo.ca/environment-computing/about/people
------------------------------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20141209/d50e4747/attachment.html>

More information about the MacTUG mailing list