MacOS – How to get com.apple.servermgrd to use a non-self-signed SSL certificate

certificatekeychainmacosserver.appssl

I have received a valid SSL certificate for my Mountain Lion Server (10.8.2 Build 12C3104) and have installed that cert for use by all services (and SSL and other services do not pop up the "Verify Certificate" dialog – only Server seems to be still using a self-signed cert.

Each time I connect remotely using Server App 2.2.1 (169) as follows:

Verify Certificate --- *Server can't verify the identity of the server* You're connecting to a server whose indentity certificate isn't valid. It could be a Mac server with a self-signed certificate. It also might be a server that's pretending to be ... which could put your confidential information at risk. Would you like to connect to the server anyway?

Did I miss a step where I need to install a different cert for com.apple.servermgrd to use or do I need a second configuration step past making the current certificate selected in Server app and rebooting the server? I'd rather use a valid certificate to authenticate rather than have to "always trust" this self-signed cert when connecting to manage my server.

Best Answer

Apple KB article HT3930 explains how to configure SSL for servermgrd, the Server Admin web interface.

It applies to Mac OS X Server 10.6 so until Apple updates this article part of the steps are confusing / obsolete.

Luckily, on Mountain Lion Server (10.8) servermgrd's certificate is stored in the same location as on Mac OS X Server Snow Leopard: in the System keychain of Aplications>Utilities>Keychain Access.

Here is what is needed on Mountain Lion (taken from the article)

While logged into the OS X where Server is set up to run services, open Keychain Access.

Select the System keychain.

Double click the com.apple.servermgrd identity preference (credit: picture borrowed from here):

Select your valid SSL certificate. You will have to import your SSL certificate first as explained in KB article PH7297.

Authenticate as an administrator if prompted.

As root, restart servermgrd for the changes in Keychain Access to take effect with this Terminal command: sudo killall servermgrd (authenticate with your administrator password if prompted).

Related Solutions

IPad Mail client – IMAP with X.509 client certificates

The question appears to be specific to using X.509 for authentication to an IMAP service, which isn't supported by iOS. S/MIME email encryption and signatures can be performed on iOS, but the authentication to mail services will still use username/password over SSL or TLS.

MacOS – How to create a self signed SSL server certificate on OS X 10.7 for HighPoint RAID management server

When having created overlapping or re-use hostnames/ip addresses, resulting in the sec_error_reused_issuer_and_serial error, delete the built-in certificate using terminal:

$ sudo rm -v /usr/share/hpt/hptsvr.pem

And restart the raidman-httpsd daemon using this command:

$ sudo systemStarter restart raidman

A new .pem file based on a matching hostname and ip address will be created on the first https request.

Best Answer

Related Solutions

IPad Mail client – IMAP with X.509 client certificates

MacOS – How to create a self signed SSL server certificate on OS X 10.7 for HighPoint RAID management server

Related Question