beautypg.com

Managing certificates, Editing a certificate, 69 managing certificates 69 – Apple Mac OS X Server (Version 10.6 Snow Leopard) User Manual

Page 69

background image

Chapter 4

Enhancing Security

69

7

Click the Import button.

If prompted, enter the private key passphrase.

Managing Certificates

After you create and sign a certificate, you won’t do much more with it. Since
certificates cannot be edited, you can either delete, replace, or revoke certificates after
they are created. You cannot change certificates after a CA signs them.

If the information a certificate possesses (such as contact information) is no longer
accurate, or if you believe the private key is compromised, delete the certificate.

If you have previously generated certificates for SSL, you can import them for use by
services. The OpenSSL keys and certificates must be in PEM format.

If you chose custom locations for your SSL certificates with Leopard Server, you must
import them into Certificate Manager if you want them to be available for services.

Custom filesystem locations for certificates cannot be managed for services using
Server Admin for Mac OS X Server v10.6. To use custom file locations, you must edit the
configuration files directly.

When certificates and keys are imported via Certificate Manager, they are put in the
/etc/certificates/ directory. The directory contains four PEM formatted files for every
identity:

The certificate

Â

The public key

Â

The trust chain

Â

The concatenated version of the certificate plus the trust chain (for use with some

Â

services)

Each file has the following naming convention:

...pem

For example, the certificate for a web server at example.com might look like this:

www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem

After they are imported, Certificate Manager encrypts the files with a random
passphrase. It puts the passphrase in the System keychain, and puts the resulting PEM
files in /etc/certificates/.

Editing a Certificate

After you add a certificate signature, you can’t edit the certificate. You must replace it
with one generated from the same private key.

See also other documents in the category Apple Software: