I am setting up a file server in Yosemite and am trying to remove vulnerabilities so my organization's IT dept will approve. I acquired a trusted SSL certificate and installed it with all of the intermediates to complete the chain of trust.
The IT dept's vulnerability scan showed that port 311 was using a self-signed certificate. I then used keychain to switch the servermgrd identity to use the correct certificate as explained in How do I get com.apple.servermgrd to use a non-self-signed SSL certificate?.
Now the vulnerability scan no longer shows the self-signed certificate being used for port 311 – good – but it still reports the certificate as being untrusted. The trust chain is intact for server domain, but not the servermgrd. Also, the servermgrd certificate in keychain still shows the wrong private key, even though the servermgrd identity is using the correct cert.
Anyone know how to address this? Could this require different intermediate certs than the server itself? Should the servermgrd certificate that is using the wrong private key be replaced?
Best Answer
servermgrd looks up the certificate it uses for port 311 via an identity preference named "com.apple.servermgrd". By default, the preference points to the self-signed "com.apple.servermgrd" identity cert. After you change the preference you can remove the old self-signed cert without causing any harm. But you must make sure that the access control list (ACL) on the private key of the certificate that you want servermgrd to use allows servermgrd access.
If servermgrd cannot access the private key, it will delete the preference and create a new self-signed identity and set a new preference to point to the newly created identity cert.