OS X hosting, Xserves, Mac Minis, G4’s, G5s

Here for all your hosting and support.

Mac OS X Panther Server and SSL

with 37 comments

by Joel Rennich, mactroll@afp548.com

The purpose of this article is to give you an idea of what you can do with SSL in Mac OS X Server and how you can use that to secure as many services as possible. So, first we’ll talk some about SSL in general and how to create the certificates, then we’ll discuss what to do with those certificates.

SSL certificate creation

Before we start I’d like to point out that we are going to be creating home-rolled SSL certificates here. As such you will run into problems when connecting to your Server using applications like a Web browser. Most applications will allow you to ignore the fact that your certificate hasn’t been validated by one of the internationally recognized certificate authorities, but it’s still a pain.

I’ll show you how to get around that by importing in your own certificate authority onto your client machines. This presumes that you have control over all of your clients, so for internal use where you control both the server and the client setups being your own certificate authority is great. If you plan on doing business with the general public, such as using it for credit card processing on a Web page, I would strongly recommend that you invest the money in a “real” certificate.

If you do buy one at least take a look at www.qualityssl.com. They have really good prices and are Mac-based, so you can keep it in the family.

Also all of the openSSL work, such as generating and signing certificates, can be done on Mac OS X client.

1. Make a certificate authority (CA).

This should be done in a secure place, since if your CA gets compromised then all of your security goes out the window. A decent place for this would be on your most secure server or on your own machine.

It doesn’t matter where on the filesystem you do this; however, I personally prefer to create a CA directory in /etc:

sudo mkdir -p /etc/certs
cd /etc/certs

Right now this folder has fairly relaxed permissions on it. As soon as were done we’ll change that to greatly limit access to the folder. Now that we have our place we need to begin generatng the CA. We do this by making a certificate signing request (CSR). This example will generate a 3DES encrypted 2048 bit key. This is a rather high security key which means it takes longer to process. So if you feel the need you can scale it down to 1024 bits if you like. Although I haven’t had any problems using this with Mac OS X 10.2 and Windows 2000.

openssl genrsa -des3 -out ca.key 2048

You will be asked for a passphrase for this key. You need to both remember this phrase and keep it secure. Your entire SSL system will depend on this passphrase being secure.

Now that you have the request you can sign it into a CA.

openssl req -new -x509 -days 4096 -key ca.key -out ca.crt

You’ll be asked for the passphrase that you just set up. After that your certificate authority will be valid for 4096 days.

You now have a full blown certificate authority for your machine. From this we will base all of your other certificates from it.

2. Generate a certificate for your server.

You will need one for each domain that you have; i.e., mail.afp548.com and http://www.afp548.com will each need one if you want to secure both sites.

So first we will generate a new private key.

openssl genrsa -des3 -out server.key 1024

You will be prompted for a password here also. This should be different from the password for the CA. Just remember it because you will need to enter it into Server Admin to get SSL running.

Now you need to generate a request with the private key.

openssl req -new -key server.key -out server.csr

Again you will be asked for a password. This is the one you entered in the step above. Then you will get a bunch of questions. They all really don’t matter except for common name. This needs to be the fully qualified name of your Web server, like http://www.afp548.com. If this is wrong you will get errors in the browser. Also: leave the challenge password blank.

Now we need to set up a few folders so that we can actually sign the certificate.

mkdir -p demoCA/private
cp ca.key demoCA/private/cakey.pem
cp ca.crt demoCA/cacert.pem
mkdir demoCA/newcerts
touch demoCA/index.txt

            echo “01” > demoCA/serial

You can now actually sign the server certificate with your newly minted CA.

openssl ca -policy policy_anything -in server.csr -out server.crt

The password you are prompted for is the password you assigned to the CA, the first one, not to the certificate itself. If you need to create more certificates you will only need to do the last three steps for each.

Finally to keep things secret and to keep things safe, change the permissions on this folder.

sudo chmod 700 /etc/certs

Now you can take all of your pieces and make the sites secure.

3. Securing your web site.

Go into Server Admin and make sure that the SSL module is enabled in the modules pane under settings.

Then go to the site that you want to secure. Change the port to 443, click on the security button, and enable SSL by checking the box at the top. Then you need to open up some of the files that you have created in TextEdit, or any text editor, and copy and paste them into the three appropriate spots. Copy server.crt into “Certificate File.” Copy server.key into “Key File,” and copy ca.crt into “CA File.”

Finally, you’ll want to enter the passphrase for the server certificate into the “Pass Phrase” field or else you’ll have to be at the server everytime it starts up.

A few parting thoughts about securing Web connections. You will need a separate IP address for every SSL site that you have. There’s a complicated reason for this, but it involves how SSL connections begin and I don’t know of any way around this. In 10.2 you had to edit the httpd_macosxserver.conf file to get higher level encryption. This requirement seems to be gone in 10.3 as it defaults to using all ciphers.

When you are done your certificates will be stored in /etc/httpd/ssl.crt and /etc/httpd/ssl.key. Your site’s specific config is stashed in /etc/httpd/sites/your site’s name. So look in there for any specific info. Also the passphrase that you used is stashed in /etc/httpd/servermgr_web_httpd_config.plist, which is root-readable only.

4. Securing LDAP

We run into a bit of a problem here. OpenLDAP doesn’t like a server key that has a passpharse associated with it. Postfix and Cyrus are going to be the same way. So remove the passphrase.

openssl rsa -in server.key -out serverno.key

Now go back into Server Admin. Select the Open Directory settings and go to the “Protocols” tab. Check the “Use SSL” box and then put the path to your certificates in the three fields.

Certificate: /etc/certs/server.crt
SSL Key: /etc/certs/serverno.key
CA Certificate: /etc/certs/ca.crt

OpenSSL runs as root, so it will be able to get into /etc/certs without any issues. As soon as you save this config Server Admin will restart OpenLDAP with SSL support.

The SSL configuration for OpenLDAP is stored in /etc/openldap/slapd_macosxserver.conf.

5. Securing SMTP

Postfix can be setup to use the same certificate as the one you established for openLDAP. However, it wants to have both the key and the certificate in the same file. This is easily done.

sudo cat /etc/certs/serverno.key /etc/certs/server.crt > /etc/certs/server.pem

Now link that file to what Postfix is looking for.

ln -s /etc/certs/server.pem /etc/postfix/

Now reload Postfix through the GUI or by doing this from the command line.

sudo postfix reload

And start using encrypted SMTP services.

The SSL configuration for Postfix is kept in /etc/postfix/main.cf.

6. Securing POP/IMAP

Cyrus can use the same certificate as Postfix, but it needs to be accessible by the cyrus user. That requires relaxing the permission a bit on the certificate store.

sudo chown :mail /etc/certs
sudo chmod 750 /etc/certs
sudo chmod -R 700 /etc/certs/demoCA

Now you can link the server.pem file into where Cyrus POP and IMAP want to find it.

ln -s /etc/certs/server.pem /var/imap/server.pem

Now go into Server Admin and set up POP/IMAP to use SSL in the Advanced button of the Mail Server settings.

Set your mail client accordingly and securely read your mail.

The SSL configuration for Cyrus is stored in /etc/imap.conf.

7. Enable your clients

Since your CA is self-signed all of your Mac OS X applications and services will yell at you for using it. You can get around this by adding the cert to the client’s x509 Anchors keychain. Essentially this is the root CA file for your machine.

Do this by copying over to the client machine the ca.crt file that you created in the first step. Then install it by doing

sudo certtool i ca.crt v k=/System/Library/Keychains/x509Anchors

Your client will now trust certificates that you have signed into being with this CA. If you do this right, you’ll use the same CA for all of your servers and their services. That way you’ll only have to import one file into the clients x509Anchors.

8. E-mail certs

This bit is for bonus points, but all the cool kids are doing it and so should you. Mail.app in 10.3 allows the use of s/mime certificates. These are PKI certificates that act similar to SSL certificates and can sign and or encrypt e-mail.

The easiest way for a personal user to get a certificate is to head over to www.thawte.com and sign up for their free community mail certificate. Really good instructions for this can be found here:

http://joar.com/certificates/

However, if for some reason you feel like making your own, read on. Note that this is mostly an exercise in what you can do with OpenSSL. Since the Thawte certificates are free and easily available you’re probably better off using them. However, if you want to outfit your entire organization with home rolled certificates, well here you go. Just be careful to only use this between users that have imported your root CA that you created.

To do this you need to first generate a certificate for your e-mail user. This is pretty much the same thing as generating one for a server.

openssl genrsa -des3 -out mail.key 1024

Give it a pass phrase to lock it up.

openssl req -new -key mail.key -out mail.csr

Here, you’ll want to use your real name for the Common Name. Joel Rennich is what I would use. Then make sure that you fill out the e-mail field with what you have set up in Mail.app as your e-mail address. Capitalization is important here. I would use “mactroll@afp548.com”.

Now sign this cert with your CA.

openssl ca -policy policy_anything -in mail.csr -out mail.crt

You’ll enter in your CA password and then commit the signature.

Finally you can convert the signed certificate into the format that is used for s/mime. When you do this it will first ask you for your mail certificate password that you set up a few commands before. Then it will ask you for an export password. This can be the same of different, it doesn’t matter, but you will need to use the export password when importing this certificate into your Keychain so you can use it with mail.

openssl pkcs12 -export -inkey mail.key -certfile mail.crt -in mail.crt -out mactroll.p12

This is your “official” e-mail certificate. Copy this over to your client machine and double-click. Keychain Access should launch and ask you for your export password. The certificate will then be imported into your keychain and immediately usable by Mail.app for the account that you specified in the e-mail field when you generated it.

9. Other odds and ends

When you sign your certificates with your CA openssl uses a default config file which can be found at /System/Library/OpenSSL/openssl.cnf. If you want to change any of the defaults go here. For example, certificates that you sign will only be valid for 1 year, unless you edit this file to change that.

Advertisements

Written by montanaflynn

February 7, 2008 at 5:10 pm

37 Responses

Subscribe to comments with RSS.

  1. Having read this I believed it was rather enlightening.

    I appreciate you taking the time and energy to put this informative
    article together. I once again find myself
    spending way too much time both reading and posting comments.
    But so what, it was still worth it!

    Kieran

    May 17, 2013 at 11:35 pm

  2. Have you ever considered publishing an e-book or guest authoring on other websites?
    I have a blog centered on the same information you discuss and would love to have you share some
    stories/information. I know my audience would enjoy your work.
    If you’re even remotely interested, feel free to send me an email.

    Sharron

    May 24, 2013 at 6:31 pm

  3. Thanks on your marvelous posting! I seriously enjoyed reading it, you may be
    a great author. I will be sure to bookmark your blog and may come back
    later on. I want to encourage continue your great job, have a nice
    day!

    Sherita

    May 26, 2013 at 12:03 pm

  4. Nice blog right here! Also your web site loads up very fast!
    What web host are you the use of? Can I get your
    associate hyperlink in your host? I desire my site loaded up as
    quickly as yours lol

    Janet

    May 31, 2013 at 1:42 pm

  5. Greetings! Very helpful advice within this article! It is the little changes that will make the largest changes.
    Many thanks for sharing!

    Nike Free Run

    June 8, 2013 at 2:23 pm

  6. We persuade our young people to use piggy financial institutions to conserve up for extraordinary buys like bicycles and
    sneakers, but then we do not ever look at having our
    very own first-rate help and advice and using the same implies to save for ourselves as
    grownups. But if any person necessities to help save, its the grown-ups, even increased than
    the youngsters, mainly because we are the types with the strained budgets and fantastic personal responsibilities and obligations to meet.
    Possibly we have to revisit the strategy of the piggy
    financial institution, to uncover out new tips to conquer the
    pressure and hardship of striving to help
    save moolah when it seems that every working day it gets to be an exceedingly
    increased challenging undertaking to accomplish.
    There are some ways to help you save that use the exact same premise,
    but in added advanced options. For instance, dollar charge averaging is put into
    use by traders to typical out the highs and lows of their inventory market holdings, so that on regular, they make way more hard earned cash than they would
    by attempting to time the ups and downs of the current market.

    This is carried out by getting yourself a established dollar amount
    of money of stock at typical intervals of time, irrespective of the total price
    of the inventory, and is most conveniently applied
    to shares of mutual funds, on the grounds that they can be purchased in dollar
    quantities that are sometimes simpler and easier to determine.
    For occasion, you can have your broker use $a hundred all thirty
    day period to fork over money for shares of a mutual fund.
    Some months you could possibly get ten shares for that price level, and other months youll
    get 8 or eleven shares. But around time, you will steadily strengthen your holdings, which improves your belongings in the identical way that socking away capital in a piggy lender functions.

    An additional application that applies the same exact principal is to use
    automated withdrawals and deposits that you can organize with your financial institution.
    Each individual time you get a paycheck, for instance, you can have a portion of it transferred
    to a retirement account of financial savings account. Most of the
    time you wont even detect that the capital is lacking, and you can unconsciously or at minimum subconsciously begin to save extra funds.

    These tactics of making use of piggybank philosophies to
    develop our revenue are strategically wise. Not only do they help us with the willpower of personal savings, but they also are inclined to do it in a way that is
    rather painless and does not will need the persistent anxiety of producing a
    acutely aware resolution about regardless of whether or not to save.
    czarter mazury czarter mazury

    czarter mazury

    June 16, 2013 at 4:58 pm

  7. Thanks for sharing your thoughts on tanie i skuteczne pozycjonowanie
    stron. Regards

    http://wxqgroup.pl

    June 18, 2013 at 3:45 pm

  8. You’re so interesting! I don’t think I have read
    a single thing like that before. So nice to discover
    another person with a few genuine thoughts on this subject.
    Seriously.. thanks for starting this up. This website
    is something that is needed on the web, someone with a bit
    of originality!

    Ralph Lauren Polo

    June 21, 2013 at 5:37 am

  9. Hi there i am kavin, its my first time to commenting anyplace, when i read this article i thought i
    could also make comment due to this good post.

    website

    July 3, 2013 at 9:21 pm

  10. My family always say that I am killing my time here at
    web, but I know I am getting know-how everyday by reading such fastidious content.

  11. Great items from you, man. I’ve remember your stuff previous to and you are simply too magnificent. I actually like what you’ve acquired here, really
    like what you are stating and the way in which through which you say
    it. You make it enjoyable and you still care for to stay it wise.
    I can’t wait to read far more from you. That is actually a tremendous website.

  12. whoah this weblog is wonderful i really like reading your posts.
    Stay up the good work! You realize, a lot of individuals
    are searching around for this info, you can help them greatly.

  13. I don’t know if it’s just me or if everyone else experiencing issues with your website.
    It appears as though some of the written text on your
    posts are running off the screen. Can somebody else please provide feedback and let me know if this is happening to them
    as well? This may be a issue with my browser because I’ve had this happen before. Thanks

  14. I blog quite often and I truly thank you for your content.
    This article has truly peaked my interest. I’m going to take a note of your website and keep checking for new details about once per week. I subscribed to your RSS feed as well.

  15. Hey! This is my first visit to your blog! We are a team
    of volunteers and starting a new project in a community in the same niche.
    Your blog provided us useful information
    to work on. You have done a extraordinary job!

    homepage

    July 4, 2013 at 1:02 am

  16. I’ve read some good stuff here. Certainly value bookmarking for revisiting. I wonder how so much attempt you put to create one of these magnificent informative web site.

  17. Hey There. I found your blog using msn. This is a very well written article.
    I will make sure to bookmark it and return to read more of your useful information.

    Thanks for the post. I will definitely comeback.

    webpage

    July 4, 2013 at 2:03 am

  18. Hi there mates, how is the whole thing, and what you wish for
    to say about this paragraph, in my view its in fact awesome in support
    of me.

  19. A person essentially help to make seriously posts I would state.
    This is the first time I frequented your web page and so far?

    I surprised with the analysis you made to make this actual publish extraordinary.
    Great job!

    bookmarking submissions

    July 30, 2013 at 1:12 am

  20. I am sure this post has touched all the internet visitors, its really really pleasant piece
    of writing on building up new webpage.

    hello unlimited

    August 2, 2013 at 9:15 am

  21. Whatever your specialty or favored photographic genre may be, photogenic scenes,
    people, places and ideas are all around you almost constantly.
    Grill a few minutes on each side, until very golden.
    url + ‘” class=”adline1_title_link” target=”_blank”>’ +.

    chicken salad recipe

    August 3, 2013 at 9:12 am

  22. Not listed as a separate part is a gasket in the bottom
    of each blade. Poach the chicken for 20 minutes or until firm when
    touched remove the pan from the heat, uncover, cool the chicken
    in the liquid for half an hour. 3 oysters is said to meet our daily zinc consumption recommendations.

    thedonovan.com

    September 5, 2013 at 1:29 pm

  23. Color results are instantaneous and non-damaging to the hair.

    You can try under your skin and the appearance of color to dress as a whole that is more flattering to be correct.
    This kind of ammonia is called liquid ammonia
    or aqueous ammonia. Some of the colors to stay away from include: orange, purple, yellow, pink and light spring looking colors.
    One of the best possible ways to prevent this problem is by taking good care of the
    hair.

    Www.haircolorgenerator.Org

    September 25, 2013 at 2:36 pm

  24. Hi there Dear, are you actually visiting this weeb site on a regular basis,
    if so then you will without doubt take pleasant knowledge.

    Leroy

    September 29, 2013 at 4:29 am

  25. Thanks for another magnificent post. Where else may
    just anybody get that type of info in such a perfect approach
    of writing? I’ve a presentation next week, and I’m on the search
    for such information.

  26. This is where you can check the names of the
    companies that you have send applications to.
    Mostt people only find out thgey are victim months after the creime
    happened. Alll yoour credit history is computer compiled and evaluated
    to determine yyour FICO credit rating.

  27. Thank you for the auspicious writeup. It if truth be told was once a enjoyment account it.
    Look complex to far delivered agreeable from you! By the way, how could we keep
    in touch?

    Stardollars hack

    December 10, 2013 at 11:03 pm

  28. Undeniably believe that which you stated. Your favorite reason appeared to be on the web the easiest
    thing to be aware of. I say to you, I certainly get annoyed while people
    consider worries that they plainly don’t know about.
    You managed to hit the nail upon the top and also defined out the whole thing without having side effect ,
    people can take a signal. Will probably be back to get more.

    Thanks

    escort agencies Abu Dhabi

    January 1, 2014 at 4:52 am

  29. When someone writes an paragraph he/she keeps the plan of a
    user in his/her mind that how a user can understand it.

    Thus that’s why this article is great. Thanks!

    youtube.com

    January 10, 2014 at 4:47 pm

  30. Any Questions Call 604-536-6813 or Email: noviorbis@telus.
    It facilitates the movement of toxic wastes through the digestive system and assists them in eliminating out from the body.

    As the process continues and your body becomes “cleaner,” it
    will become stronger and more efficient.

  31. magnificent points altogether, you simply won a brand new reader.
    What could you suggest about your submit that you just made some days in
    the past? Any positive?

    Beverly

    January 14, 2014 at 1:05 am

  32. What’s up to all, it’s genuinely a nice for me to pay
    a quick visit this web site, it includes precious Information.

    Kit

    February 16, 2014 at 8:54 pm

  33. Notice there was no shopping spree for mom listed there.
    Janet says her customers come from far and wide,
    with locals mainly coming in for maps. You can search for them over the internet and you would come across a wide
    range of the candy making recipes.

  34. I blog quite often and that I really appreciatee your information.

    This content has really peaked my interest. I’m going to take a
    note of your blog and keep cheking for choosing a new information
    regarding once per week. I subscribed to your Feed at the same time.

    dayz hacks for sale

    April 16, 2014 at 7:43 pm

  35. I was suggested this web site by my cousin. I’m not sure whether this post is
    written by him as no one else know such detailed about my problem.
    You are amazing! Thanks!

  36. What’s Going down i am new to this, I stumbled upon this I’ve discovered It positively helpful and it has helped me out loads.
    I hope to give a contribution & help other customers like its aided
    me. Great job.

    Fabian

    April 30, 2014 at 4:05 pm

  37. I used to be suggested this website by means of my cousin. I’m not
    certain whether or not this submit is written via him as nobody else realize such distinct approximately my trouble.
    You are incredible! Thanks!

    marketing article

    August 6, 2014 at 7:51 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: