I apologize for not getting back to you sooner. I appreciate the
detailed explanation on how to add a signed certificate. The
documentation kind of confused me and I thought I had to actually
import it. Thanks for setting me straight.
Unfortunately, I got it to accept the certificate via import, although
with the wrong information. Now the "Add Signed Certificate" button
is disabled. How can I make it enabled without screwing anything up
or causing unforeseen problems later or is it better to cut my losses
and {delete the certificate/create another CSR/pay for another signed
certificate}?
I looked at my setup with a properly working certificate, and my
[Request Signed Certificate From CA] and [Add Signed Certificate]
buttons are also grayed out and unavailable. I checked the online
Server Admin help and searched for "editing certificates" which led
me to the "Creating and Managing Security Certificates" section:
****
Editing a Certificate
Once the certificate signature of a CA is added, it can't be edited.
A self-signed certificate can be edited. All the fields of the
certificate (including domain name and private key passphrase,
private key size, etc.) can be modified. If the identity was exported
to disk from the system keychain, it will have to be re-exported.
****
That's fairly declarative. Not being able to edit the certificate
signed by a CA is normal.
Or is the best solution for me to try to reimport the
whole thing with knowing the private key. If so, I am not exactly
sure where to find the private key in the "keychain" even though you
mentioned it is under the admin account via KeyChain Access under the
system keychains. Sorry for my ignorance.
Scott
The private key and the whole public key infrastructure is stored in
the keychain and is accessible by the Keychain Access program. Login
as an admin on the server's console. Launch Keychain Access. Click
on the system keychain. For the identity in question, you should see
your private key, public key, and the signed certificate from the CA
all listed. These things can be exported from the keychain and saved
to disk as traditional files. If you see something more complicated
than that you might want to stop there and report what you see.
Inspect these items in the keychain and see if they match what you
expect them to be.
What you do next is difficult for me to recommend because I really
don't have an understanding of what is currently wrong.
I would expect that the PKI handling software in OS X server is
checking things such that it is not possible to have a certificate
associated with an identity that doesn't pair with the private key
and the certificate signing request signed by the private key. I
have never used the import feature, so I don't know how "smart" it
is. I would first ask you to test your assertion that your current
configuration is "wrong". What are your experiences that have led to
that conclusion?
What you have in hand is the signed certificate. What is less clear
is what has happened to the original CSR and private key after these
import attempts. You may have the original CSR saved outside of the
keychain from when you sent it to the CA. If the original private
key is intact you should be OK, if not, the signed certificate will
be useless. I can't see a reason why you couldn't go into Keychain
Access and attempt to remove the "wrong" signed certificate there.
Take required backup/snapshot/preferred precautions of your server
first. Launch Server Admin and see if you can add the certificate
using the GUI now that the server has no knowledge of one.
If you haven't already, refresh your memory of how this stuff works
by reading a primer on SSL. Here's one: <http://slacksite.com/apache/
certificate.html>.
