Manualshelf

Setup guide

ManualsBrandsApple ManualsNetwork CardMac OS X Server
31323334353637383940
steps for doing this vary by vendor but are outlined in the “Setting up SSL” section of
Apple’s “Mac OS X Server Web Technologies Administration” manual. Once the
certificates have been obtained, configuration of the services is the same whether
they were purchased from a vendor or signed by your own CA.
If you are setting up an internal network and only need to encrypt local traffic, set up
a CA to sign SSL certificates for the internal network. The next sections describe this
process. While the security is only as good as the security of the CA, in many cases
this is sufficient to enable encrypted communication between a web or mail server
and their clients. The basic steps to set up an internal SSL-encrypted network are:
Create a CA.
Distribute the CA's certificate to client systems.
Use the CA to sign the certificates the servers will use.
4.4.1.1 Creating a CA to sign certificates
Creating a CA is possible on any system with OpenSSL installed, including
Mac OS X. Since the security of your certificates is dependent on the security of the
CA, performing these steps on a secure machine is critical. The machine should be
physically secure and not connected to any network.
To create a folder to hold the certificate files, open Terminal and execute the
following:
cd /usr/share
sudo mkdir certs
cd certs
To create the CA, generate a key pair as follows:
sudo openssl genrsa -des3 -out ca.key 2048
This command generates a Triple-DES encrypted RSA public-private key pair called
ca.key. The 2048 is the length of the key in bits. OpenSSL will ask for a passphrase
for the key upon creating it. Use a strong passphrase and keep it secure; a
compromise of this passphrase would undermine the security of your entire
certificate system.
Next, the newly created public key is signed to create an SSL certificate that may be
distributed to other systems. Later, when we sign other servers’ certificates with our
CA’s private key, any client can then use the CA’s SSL certificate (containing its
public key) to verify those signatures. When a CA signs a server’s certificate with its
private key, it means that it is vouching for the authenticity of those certificates.
Anyone who can trust the CA can then trust any certificate the CA signs.
To sign the newly created CA’s public key to produce a certificate for distribution:
34
UNCLASSIFIED