Mac OS X Panther Server and SSL
by Joel Rennich, mactroll@afp548.com
The purpose of this article is to give you an idea of what you can do with SSL in Mac OS X Server and how you can use that to secure as many services as possible. So, first we’ll talk some about SSL in general and how to create the certificates, then we’ll discuss what to do with those certificates.
SSL certificate creation
Before we start I’d like to point out that we are going to be creating home-rolled SSL certificates here. As such you will run into problems when connecting to your Server using applications like a Web browser. Most applications will allow you to ignore the fact that your certificate hasn’t been validated by one of the internationally recognized certificate authorities, but it’s still a pain.
I’ll show you how to get around that by importing in your own certificate authority onto your client machines. This presumes that you have control over all of your clients, so for internal use where you control both the server and the client setups being your own certificate authority is great. If you plan on doing business with the general public, such as using it for credit card processing on a Web page, I would strongly recommend that you invest the money in a “real” certificate.
If you do buy one at least take a look at www.qualityssl.com. They have really good prices and are Mac-based, so you can keep it in the family.
Also all of the openSSL work, such as generating and signing certificates, can be done on Mac OS X client.
1. Make a certificate authority (CA).
This should be done in a secure place, since if your CA gets compromised then all of your security goes out the window. A decent place for this would be on your most secure server or on your own machine.
It doesn’t matter where on the filesystem you do this; however, I personally prefer to create a CA directory in /etc:
sudo mkdir -p /etc/certs cd /etc/certs
Right now this folder has fairly relaxed permissions on it. As soon as were done we’ll change that to greatly limit access to the folder. Now that we have our place we need to begin generatng the CA. We do this by making a certificate signing request (CSR). This example will generate a 3DES encrypted 2048 bit key. This is a rather high security key which means it takes longer to process. So if you feel the need you can scale it down to 1024 bits if you like. Although I haven’t had any problems using this with Mac OS X 10.2 and Windows 2000.
openssl genrsa -des3 -out ca.key 2048
You will be asked for a passphrase for this key. You need to both remember this phrase and keep it secure. Your entire SSL system will depend on this passphrase being secure.
Now that you have the request you can sign it into a CA.
openssl req -new -x509 -days 4096 -key ca.key -out ca.crt
You’ll be asked for the passphrase that you just set up. After that your certificate authority will be valid for 4096 days.
You now have a full blown certificate authority for your machine. From this we will base all of your other certificates from it.
2. Generate a certificate for your server.
You will need one for each domain that you have; i.e., mail.afp548.com and http://www.afp548.com will each need one if you want to secure both sites.
So first we will generate a new private key.
openssl genrsa -des3 -out server.key 1024
You will be prompted for a password here also. This should be different from the password for the CA. Just remember it because you will need to enter it into Server Admin to get SSL running.
Now you need to generate a request with the private key.
openssl req -new -key server.key -out server.csr
Again you will be asked for a password. This is the one you entered in the step above. Then you will get a bunch of questions. They all really don’t matter except for common name. This needs to be the fully qualified name of your Web server, like http://www.afp548.com. If this is wrong you will get errors in the browser. Also: leave the challenge password blank.
Now we need to set up a few folders so that we can actually sign the certificate.
mkdir -p demoCA/private
cp ca.key demoCA/private/cakey.pem
cp ca.crt demoCA/cacert.pem
mkdir demoCA/newcerts
touch demoCA/index.txt
echo “01” > demoCA/serial
You can now actually sign the server certificate with your newly minted CA.
openssl ca -policy policy_anything -in server.csr -out server.crt
The password you are prompted for is the password you assigned to the CA, the first one, not to the certificate itself. If you need to create more certificates you will only need to do the last three steps for each.
Finally to keep things secret and to keep things safe, change the permissions on this folder.
sudo chmod 700 /etc/certs
Now you can take all of your pieces and make the sites secure.
3. Securing your web site.
Go into Server Admin and make sure that the SSL module is enabled in the modules pane under settings.
Then go to the site that you want to secure. Change the port to 443, click on the security button, and enable SSL by checking the box at the top. Then you need to open up some of the files that you have created in TextEdit, or any text editor, and copy and paste them into the three appropriate spots. Copy server.crt into “Certificate File.” Copy server.key into “Key File,” and copy ca.crt into “CA File.”
Finally, you’ll want to enter the passphrase for the server certificate into the “Pass Phrase” field or else you’ll have to be at the server everytime it starts up.
A few parting thoughts about securing Web connections. You will need a separate IP address for every SSL site that you have. There’s a complicated reason for this, but it involves how SSL connections begin and I don’t know of any way around this. In 10.2 you had to edit the httpd_macosxserver.conf file to get higher level encryption. This requirement seems to be gone in 10.3 as it defaults to using all ciphers.
When you are done your certificates will be stored in /etc/httpd/ssl.crt and /etc/httpd/ssl.key. Your site’s specific config is stashed in /etc/httpd/sites/your site’s name. So look in there for any specific info. Also the passphrase that you used is stashed in /etc/httpd/servermgr_web_httpd_config.plist, which is root-readable only.
4. Securing LDAP
We run into a bit of a problem here. OpenLDAP doesn’t like a server key that has a passpharse associated with it. Postfix and Cyrus are going to be the same way. So remove the passphrase.
openssl rsa -in server.key -out serverno.key
Now go back into Server Admin. Select the Open Directory settings and go to the “Protocols” tab. Check the “Use SSL” box and then put the path to your certificates in the three fields.
Certificate: /etc/certs/server.crt SSL Key: /etc/certs/serverno.key CA Certificate: /etc/certs/ca.crt
OpenSSL runs as root, so it will be able to get into /etc/certs without any issues. As soon as you save this config Server Admin will restart OpenLDAP with SSL support.
The SSL configuration for OpenLDAP is stored in /etc/openldap/slapd_macosxserver.conf.
5. Securing SMTP
Postfix can be setup to use the same certificate as the one you established for openLDAP. However, it wants to have both the key and the certificate in the same file. This is easily done.
sudo cat /etc/certs/serverno.key /etc/certs/server.crt > /etc/certs/server.pem
Now link that file to what Postfix is looking for.
ln -s /etc/certs/server.pem /etc/postfix/
Now reload Postfix through the GUI or by doing this from the command line.
sudo postfix reload
And start using encrypted SMTP services.
The SSL configuration for Postfix is kept in /etc/postfix/main.cf.
6. Securing POP/IMAP
Cyrus can use the same certificate as Postfix, but it needs to be accessible by the cyrus user. That requires relaxing the permission a bit on the certificate store.
sudo chown :mail /etc/certs sudo chmod 750 /etc/certs sudo chmod -R 700 /etc/certs/demoCA
Now you can link the server.pem file into where Cyrus POP and IMAP want to find it.
ln -s /etc/certs/server.pem /var/imap/server.pem
Now go into Server Admin and set up POP/IMAP to use SSL in the Advanced button of the Mail Server settings.
Set your mail client accordingly and securely read your mail.
The SSL configuration for Cyrus is stored in /etc/imap.conf.
7. Enable your clients
Since your CA is self-signed all of your Mac OS X applications and services will yell at you for using it. You can get around this by adding the cert to the client’s x509 Anchors keychain. Essentially this is the root CA file for your machine.
Do this by copying over to the client machine the ca.crt file that you created in the first step. Then install it by doing
sudo certtool i ca.crt v k=/System/Library/Keychains/x509Anchors
Your client will now trust certificates that you have signed into being with this CA. If you do this right, you’ll use the same CA for all of your servers and their services. That way you’ll only have to import one file into the clients x509Anchors.
8. E-mail certs
This bit is for bonus points, but all the cool kids are doing it and so should you. Mail.app in 10.3 allows the use of s/mime certificates. These are PKI certificates that act similar to SSL certificates and can sign and or encrypt e-mail.
The easiest way for a personal user to get a certificate is to head over to www.thawte.com and sign up for their free community mail certificate. Really good instructions for this can be found here:
However, if for some reason you feel like making your own, read on. Note that this is mostly an exercise in what you can do with OpenSSL. Since the Thawte certificates are free and easily available you’re probably better off using them. However, if you want to outfit your entire organization with home rolled certificates, well here you go. Just be careful to only use this between users that have imported your root CA that you created.
To do this you need to first generate a certificate for your e-mail user. This is pretty much the same thing as generating one for a server.
openssl genrsa -des3 -out mail.key 1024
Give it a pass phrase to lock it up.
openssl req -new -key mail.key -out mail.csr
Here, you’ll want to use your real name for the Common Name. Joel Rennich is what I would use. Then make sure that you fill out the e-mail field with what you have set up in Mail.app as your e-mail address. Capitalization is important here. I would use “mactroll@afp548.com”.
Now sign this cert with your CA.
openssl ca -policy policy_anything -in mail.csr -out mail.crt
You’ll enter in your CA password and then commit the signature.
Finally you can convert the signed certificate into the format that is used for s/mime. When you do this it will first ask you for your mail certificate password that you set up a few commands before. Then it will ask you for an export password. This can be the same of different, it doesn’t matter, but you will need to use the export password when importing this certificate into your Keychain so you can use it with mail.
openssl pkcs12 -export -inkey mail.key -certfile mail.crt -in mail.crt -out mactroll.p12
This is your “official” e-mail certificate. Copy this over to your client machine and double-click. Keychain Access should launch and ask you for your export password. The certificate will then be imported into your keychain and immediately usable by Mail.app for the account that you specified in the e-mail field when you generated it.
9. Other odds and ends
When you sign your certificates with your CA openssl uses a default config file which can be found at /System/Library/OpenSSL/openssl.cnf. If you want to change any of the defaults go here. For example, certificates that you sign will only be valid for 1 year, unless you edit this file to change that.
OS X hosting, Xserves, Mac Minis, G4's, G5s 
Having read this I believed it was rather enlightening.
I appreciate you taking the time and energy to put this informative
article together. I once again find myself
spending way too much time both reading and posting comments.
But so what, it was still worth it!
Kieran
May 17, 2013 at 11:35 pm
Have you ever considered publishing an e-book or guest authoring on other websites?
I have a blog centered on the same information you discuss and would love to have you share some
stories/information. I know my audience would enjoy your work.
If you’re even remotely interested, feel free to send me an email.
Sharron
May 24, 2013 at 6:31 pm
Thanks on your marvelous posting! I seriously enjoyed reading it, you may be
a great author. I will be sure to bookmark your blog and may come back
later on. I want to encourage continue your great job, have a nice
day!
Sherita
May 26, 2013 at 12:03 pm
Nice blog right here! Also your web site loads up very fast!
What web host are you the use of? Can I get your
associate hyperlink in your host? I desire my site loaded up as
quickly as yours lol
Janet
May 31, 2013 at 1:42 pm
Greetings! Very helpful advice within this article! It is the little changes that will make the largest changes.
Many thanks for sharing!
Nike Free Run
June 8, 2013 at 2:23 pm
We persuade our young people to use piggy financial institutions to conserve up for extraordinary buys like bicycles and
sneakers, but then we do not ever look at having our
very own first-rate help and advice and using the same implies to save for ourselves as
grownups. But if any person necessities to help save, its the grown-ups, even increased than
the youngsters, mainly because we are the types with the strained budgets and fantastic personal responsibilities and obligations to meet.
Possibly we have to revisit the strategy of the piggy
financial institution, to uncover out new tips to conquer the
pressure and hardship of striving to help
save moolah when it seems that every working day it gets to be an exceedingly
increased challenging undertaking to accomplish.
There are some ways to help you save that use the exact same premise,
but in added advanced options. For instance, dollar charge averaging is put into
use by traders to typical out the highs and lows of their inventory market holdings, so that on regular, they make way more hard earned cash than they would
by attempting to time the ups and downs of the current market.
This is carried out by getting yourself a established dollar amount
of money of stock at typical intervals of time, irrespective of the total price
of the inventory, and is most conveniently applied
to shares of mutual funds, on the grounds that they can be purchased in dollar
quantities that are sometimes simpler and easier to determine.
For occasion, you can have your broker use $a hundred all thirty
day period to fork over money for shares of a mutual fund.
Some months you could possibly get ten shares for that price level, and other months youll
get 8 or eleven shares. But around time, you will steadily strengthen your holdings, which improves your belongings in the identical way that socking away capital in a piggy lender functions.
An additional application that applies the same exact principal is to use
automated withdrawals and deposits that you can organize with your financial institution.
Each individual time you get a paycheck, for instance, you can have a portion of it transferred
to a retirement account of financial savings account. Most of the
time you wont even detect that the capital is lacking, and you can unconsciously or at minimum subconsciously begin to save extra funds.
These tactics of making use of piggybank philosophies to
develop our revenue are strategically wise. Not only do they help us with the willpower of personal savings, but they also are inclined to do it in a way that is
rather painless and does not will need the persistent anxiety of producing a
acutely aware resolution about regardless of whether or not to save.
czarter mazury czarter mazury
czarter mazury
June 16, 2013 at 4:58 pm
Thanks for sharing your thoughts on tanie i skuteczne pozycjonowanie
stron. Regards
http://wxqgroup.pl
June 18, 2013 at 3:45 pm
You’re so interesting! I don’t think I have read
a single thing like that before. So nice to discover
another person with a few genuine thoughts on this subject.
Seriously.. thanks for starting this up. This website
is something that is needed on the web, someone with a bit
of originality!
Ralph Lauren Polo
June 21, 2013 at 5:37 am
Hi there i am kavin, its my first time to commenting anyplace, when i read this article i thought i
could also make comment due to this good post.
website
July 3, 2013 at 9:21 pm
My family always say that I am killing my time here at
web, but I know I am getting know-how everyday by reading such fastidious content.
disney strollers and car seats
July 3, 2013 at 9:23 pm
Great items from you, man. I’ve remember your stuff previous to and you are simply too magnificent. I actually like what you’ve acquired here, really
like what you are stating and the way in which through which you say
it. You make it enjoyable and you still care for to stay it wise.
I can’t wait to read far more from you. That is actually a tremendous website.
ellipticals for sale utah
July 3, 2013 at 9:24 pm
whoah this weblog is wonderful i really like reading your posts.
Stay up the good work! You realize, a lot of individuals
are searching around for this info, you can help them greatly.
body solid home gym workout routine
July 3, 2013 at 9:28 pm
I don’t know if it’s just me or if everyone else experiencing issues with your website.
It appears as though some of the written text on your
posts are running off the screen. Can somebody else please provide feedback and let me know if this is happening to them
as well? This may be a issue with my browser because I’ve had this happen before. Thanks
best portable air conditioners
July 3, 2013 at 9:40 pm
I blog quite often and I truly thank you for your content.
This article has truly peaked my interest. I’m going to take a note of your website and keep checking for new details about once per week. I subscribed to your RSS feed as well.
strollers for toddlers over 50lbs
July 3, 2013 at 11:56 pm
Hey! This is my first visit to your blog! We are a team
of volunteers and starting a new project in a community in the same niche.
Your blog provided us useful information
to work on. You have done a extraordinary job!
homepage
July 4, 2013 at 1:02 am
I’ve read some good stuff here. Certainly value bookmarking for revisiting. I wonder how so much attempt you put to create one of these magnificent informative web site.
powered riding toys for girls
July 4, 2013 at 1:51 am
Hey There. I found your blog using msn. This is a very well written article.
I will make sure to bookmark it and return to read more of your useful information.
Thanks for the post. I will definitely comeback.
webpage
July 4, 2013 at 2:03 am
Hi there mates, how is the whole thing, and what you wish for
to say about this paragraph, in my view its in fact awesome in support
of me.
new payday loan lenders
July 20, 2013 at 12:02 pm
A person essentially help to make seriously posts I would state.
This is the first time I frequented your web page and so far?
I surprised with the analysis you made to make this actual publish extraordinary.
Great job!
bookmarking submissions
July 30, 2013 at 1:12 am
I am sure this post has touched all the internet visitors, its really really pleasant piece
of writing on building up new webpage.
hello unlimited
August 2, 2013 at 9:15 am
Whatever your specialty or favored photographic genre may be, photogenic scenes,
people, places and ideas are all around you almost constantly.
Grill a few minutes on each side, until very golden.
url + ‘” class=”adline1_title_link” target=”_blank”>’ +.
chicken salad recipe
August 3, 2013 at 9:12 am
Not listed as a separate part is a gasket in the bottom
of each blade. Poach the chicken for 20 minutes or until firm when
touched remove the pan from the heat, uncover, cool the chicken
in the liquid for half an hour. 3 oysters is said to meet our daily zinc consumption recommendations.
thedonovan.com
September 5, 2013 at 1:29 pm
Color results are instantaneous and non-damaging to the hair.
You can try under your skin and the appearance of color to dress as a whole that is more flattering to be correct.
This kind of ammonia is called liquid ammonia
or aqueous ammonia. Some of the colors to stay away from include: orange, purple, yellow, pink and light spring looking colors.
One of the best possible ways to prevent this problem is by taking good care of the
hair.
Www.haircolorgenerator.Org
September 25, 2013 at 2:36 pm
Hi there Dear, are you actually visiting this weeb site on a regular basis,
if so then you will without doubt take pleasant knowledge.
Leroy
September 29, 2013 at 4:29 am
Thanks for another magnificent post. Where else may
just anybody get that type of info in such a perfect approach
of writing? I’ve a presentation next week, and I’m on the search
for such information.
Download battlefield 4 multiplayer crack
November 24, 2013 at 7:56 pm
This is where you can check the names of the
companies that you have send applications to.
Mostt people only find out thgey are victim months after the creime
happened. Alll yoour credit history is computer compiled and evaluated
to determine yyour FICO credit rating.
which free credit report is really free
December 10, 2013 at 6:38 am
Thank you for the auspicious writeup. It if truth be told was once a enjoyment account it.
Look complex to far delivered agreeable from you! By the way, how could we keep
in touch?
Stardollars hack
December 10, 2013 at 11:03 pm
Undeniably believe that which you stated. Your favorite reason appeared to be on the web the easiest
thing to be aware of. I say to you, I certainly get annoyed while people
consider worries that they plainly don’t know about.
You managed to hit the nail upon the top and also defined out the whole thing without having side effect ,
people can take a signal. Will probably be back to get more.
Thanks
escort agencies Abu Dhabi
January 1, 2014 at 4:52 am
When someone writes an paragraph he/she keeps the plan of a
user in his/her mind that how a user can understand it.
Thus that’s why this article is great. Thanks!
youtube.com
January 10, 2014 at 4:47 pm
Any Questions Call 604-536-6813 or Email: noviorbis@telus.
It facilitates the movement of toxic wastes through the digestive system and assists them in eliminating out from the body.
As the process continues and your body becomes “cleaner,” it
will become stronger and more efficient.
Total Wellenss Cleanse Review
January 13, 2014 at 3:28 am
magnificent points altogether, you simply won a brand new reader.
What could you suggest about your submit that you just made some days in
the past? Any positive?
Beverly
January 14, 2014 at 1:05 am
What’s up to all, it’s genuinely a nice for me to pay
a quick visit this web site, it includes precious Information.
Kit
February 16, 2014 at 8:54 pm
Notice there was no shopping spree for mom listed there.
Janet says her customers come from far and wide,
with locals mainly coming in for maps. You can search for them over the internet and you would come across a wide
range of the candy making recipes.
boutique de bonbons artisanaux
March 10, 2014 at 11:15 am
I blog quite often and that I really appreciatee your information.
This content has really peaked my interest. I’m going to take a
note of your blog and keep cheking for choosing a new information
regarding once per week. I subscribed to your Feed at the same time.
dayz hacks for sale
April 16, 2014 at 7:43 pm
I was suggested this web site by my cousin. I’m not sure whether this post is
written by him as no one else know such detailed about my problem.
You are amazing! Thanks!
best web hosting insurance company for small business
April 22, 2014 at 6:58 am
What’s Going down i am new to this, I stumbled upon this I’ve discovered It positively helpful and it has helped me out loads.
I hope to give a contribution & help other customers like its aided
me. Great job.
Fabian
April 30, 2014 at 4:05 pm
I used to be suggested this website by means of my cousin. I’m not
certain whether or not this submit is written via him as nobody else realize such distinct approximately my trouble.
You are incredible! Thanks!
marketing article
August 6, 2014 at 7:51 pm