Generate a host key
First, make a home for the new SSL files. I use /etc/apache2/ssl. Open up a terminal window, cd to the new directory and issue the following command to create a host key file.
sudo ssh-keygen -f host.key
Generate a certificate request file
This command create a certificate request file. A certificate request file contains information about your organization that will be used in the SSL certificate.
sudo openssl req -new -key host.key -out request.csr
Create the SSL certificate
Create a self signed SSL certificate using the request file.
sudo openssl x509 -req -days 365 -in request.csr -signkey host.key -out server.crt
Configure Apache
Create a backup of /etc/apache2/httpd.conf.
Append the contents of /etc/apache2/extra/httpd-ssl.conf to /etc/apache2/httpd.conf.
In /etc/apache2/httpd.conf, make sure the loading of SSL is enabled (remove the #)
LoadModule ssl_module libexec/apache2/mod_ssl.so
Also, edit SSL section to use the new certificate.
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/host.key
Check the config and restart Apache to try the new certificate.
sudo apachectl configtest
sudo apachectl restart
Thanks to the House of Ding and Matt Langtree for providing much of this solution.
The question appears to be specific to using X.509 for authentication to an IMAP service, which isn't supported by iOS. S/MIME email encryption and signatures can be performed on iOS, but the authentication to mail services will still use username/password over SSL or TLS.
Best Answer
Inspecting the certificate at https://www.intesasanpaolo.com, you can see that it uses the root certificate
Chambers of Commerce Root - 2008
. Upon inspecting the System Roots in Keychain Access on a Mac running Mac OS X Lion, this root certificate is trusted by the OS by default. This means that Safari should properly trust this website without prompting about an "Invalid SSL certificate".I would first verify that you see this certificate in the System Roots and that it has not been accidentally set to
Never Trust
.You can also securely obtain the root certificate used by this website at https://www.camerfirma.com/clavespublicas. You specifically need the certificate
Direct Link
When you open this certificate, you can select to install it to the System keychain. This should allow Safari to properly trust the SSL on that website.