I am well aware of how to install and setup SSL certificates in OSX Server but that was not always the case. I am writing this how to for those less experienced who may find this article helpful. There are two types of SSL certificates, that you can use on your OSX Server. Self Signed Certificates are ones that are created on the server and are not digitally verified by a third party service. You can use these certificates to encrypt or secure your servers services but you will ultimately confuse users due to the never ending string of warnings about untrusted certificates. The second type of certificate requires a self signed certificate as the base but then gets verified by a third party service. We use GoDaddy for our certificates and they work pretty well, there are many other services out there that offer moderately priced certificate verification services that will offer a trusted connection. This type of certificate is transparent to the user and simply encrypts the data without any warning message.
What I struggled with for a while as a System Administrator with little experience in the SSL realm was that no matter how many ways I tried to install the certificate for use on my server users would still get warnings saying that the certificate was not trusted. Through some trial and error and luck I figured out the proper steps to making sure that all of your services and your users can use SSL without the heartache of untrusted warning messages. The steps to follow are simple:
- Create your Self Signed certificate in Server Admin.
- Generate a CSR request.
- Import the CSR into the SSL Certificate authority.
- Import the returned signed certificate into your server.
- Import the returned intermediary certificate into your server.
- Configure Apache to work with your certificate.
- Restart and re-assign certificates to your services.
Step 1:
Launch Server Admin and select the hostname of the server that you are configuring. Chose the Certificate icon to display the “Default” self-signed certificate. You’ll need to edit this to something appropriate for your server. It’s important that you set the “Common Name” field to the fully qualified domain A-name of your server. Once you’ve edited your self-signed Default certificate, you next need to generate the CSR.
Step 2:
In the same pane in Server Admin is the little sprocket pull-down with the option to “Generate a Certificate Signing Request (CSR)…”. A window will pull down with a field to enter an email address. Don’t bother with this. Just drag the certificate icon to your desktop. Sitting on on your desktop is a text clipping that looks like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw
EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l
eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r
uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM
MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv
tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB
AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi
PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K
9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC
-----END CERTIFICATE REQUEST-----Step 3:
Here is where you will actually purchase the certificate. Head over to GoDaddy or any other vendor that sells SSL certificates and enter your information. When it asks you for your CSR enter the text in your text clipping. Be sure to include the “—BEGIN CERTIFICATE REQUEST…—” and “—END…—” lines! Once your certificate request has been verified you will be ready to proceed to the next step.
Step 4:
Usually within a couple hours, you should get an email with your new SSL certificate. The email will come with instructions, but if you have a stock Snow Leopard Server, it might be better to do it “the Mac way” instead of using their generic Apache instructions.
Back in Server Admin, select that self-signed certificate you edited earlier in Step 1, go to that little sprocket thing again, and this time choose “Add Signed or Renewed Certificate from Certificate Authority…”. You’ll have a window drop down–drag and drop all of the .crt files you got from your SSL provider here. That’s your signed certificate. Server Admin will put all the parts where they belong.
Step 5:
Here is where most inexperienced Server Admins stop, this is not the last step. The certificate is valid in Server Admin however, it relies on the Keychain in the OSX Server to validate requests. Open Keychain Access, you’ll see that it says (in red letters) “This certificate was signed by an unknown authority.” You need add the intermediary certificate to your server. To do so double click on the gd_intermediate.crt file and it should automatically update that certificate to a nice green color and render it as valid.
Step 6:
Now that you have Server Admin configured and the Keychain is happy, you need to add the gd_bundle.crt file and configure Apache. This is less daunting then you might think. You should get a gd_bundle.crt file when you purchase your certificate. If you have a .crt file that has the word “Bundle” somewhere in it then this is the file you need to use. Copy this file to the /etc/apache2/ folder on your server. You will need to copy it as root! If your file is named gd_bundle.crt then copy and replace the one that exists on your server. Once done your finished with this step.
If your file is not named this way then copy the file into your /etc/apache2/ folder and modify the http.conf file located there and update this path, see below:
<IfModule mod_ssl.c>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLPassPhraseDialog exec:/etc/apache2/getsslpassphrase
SSLSessionCache shmcb:/var/run/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/var/log/apache2/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
AddType application/x-x509-ca-cert crt
AddType application/x-pkcs7-crl crl
SSLCertificateChainFile /etc/apache2/the_name_of_your_ssl_bundle_file.crt
</IfModule>After saving httpd.conf, test out your Apache 2.2 configuration file by invoking this command.
bash-3.2# apachectl -t
Syntax OKStep 7:
This last step is the one that had me banging my head against a wall for the longest time. You must restart your server once done, you must go through all of the services running on your server and un-assign, save and then re-assign and save the SSL certificates you need. This is the only way that I was able to get my Mail service and Web services (web sites) working with SSL consistently. Once done another restart does not hurt. Test and verify that everything is working.
I really hope that you find this walkthrough useful. If you did please leave a comment below, post a question or suggest a better, easier or different way to manage and install SSL certificates on an OSX Server.
AI Usage Transparency Report
Pre-AI Era · Written before widespread use of generative AI tools
AI Signal Composition
Score: 0.08 · Low AI Influence
Summary
A step-by-step guide to installing and setting up SSL certificates on OSX Server, including creating a self-signed certificate, generating a CSR request, importing the signed certificate, configuring Apache, and restarting the server.
Related Posts
Low Profile Walkthrough and Review
Today I’m walking through Low Profile, a utility from Nindi Gill that I use when I want to inspect profiles already installed on a Mac and figure out whether those profiles contain issues I need to clean up. The value is that Low Profile gives me a straightforward way to inspect profiles installed on any Mac. This simplicity makes it easy for me to identify and address potential problems, which is especially useful when working with multiple machines or troubleshooting complex profile configurations.
ABM Warranty 0.4.1 Walkthrough: Multiple Credentials
In this part of the ABM Warranty 0.4.1 walkthrough series, I’m focusing on multiple credentials. In the first video, I showed the basic setup and how to add a single credential. Now, I want to explore what happens when I remove a credential, what changes occur when I add more than one, and how the app behaves once there are multiple contexts in play. This will help clarify any potential issues or inconsistencies that may arise with multiple credentials.
QuickPKG Walkthrough and Review
I use QuickPKG when I need to turn an application, DMG, or ZIP file into a package quickly without wasting time in a heavier packaging workflow. This post follows the same path as my video: what QuickPKG is, where to get it, how I run it, what a simple packaging example looks like, and where I think admins need to be careful about potential pitfalls that can arise from using this tool.
Amphetamine: The Ultimate Mac Utility to Keep Your Computer Awake
In today's fast-paced digital world, keeping your computer awake during important tasks is crucial. Enter **Amphetamine**, a powerful utility designed specifically for Mac users. This app ensures that your system remains active, preventing it from going to sleep or activating the screensaver when you need it most. In this article, we will explore the features of Amphetamine, how to use it effectively, and why it’s a must-have for Mac admins and everyday users alike.
Mactracker Walkthrough and Review
In the world of Mac administration, having the right tools at your disposal is crucial. One of the standout applications that every Mac admin should consider is **Mac Tracker**. This powerful app serves as a comprehensive database of all historical Mac OS versions and Apple accessories, making it an invaluable resource for both seasoned professionals and newcomers alike. In this article, we will explore the features of Mac Tracker, how it can enhance your workflow, and why it deserves a spot in your toolkit.
Reviewing Bravas.io - Roll your own Cloud MSP like Electric.ai
When inquiring about a demo or starting a 30-day trial, please mention the code JONBROWN to receive an additional 5% discount on your first year of annual service. This offer is exclusive to new customers and can be applied at the time of sign-up. The discount will be automatically reflected in your account upon activation of the annual plan.
Reviewing Bravas.io - Enrolling using a Zero Touch Workflow!
When inquiring about a demo or starting a 30-day trial, please mention the code JONBROWN to receive an additional 5% discount on your first year of annual service. This offer is exclusive to new customers and can be applied at the time of sign-up. The discount will be automatically reflected in your account upon activation of the annual plan.
XCodes Walkthrough and Review
Xcodes is an amazing native application that you can use to switch back and forth between different versions of XCode on your Mac. Why would you need this? Some developers need to test beta versions of XCode and manually switching back and forth is a huge pain. You can only have one active version of XCode if your using the CLI and its hard to remember which one you left activated and which versions are actually installed.
Reviewing Bravas.io a breakthrough new MDM and IDP for Mac, Windows and iOS!
When inquiring about a demo or starting a 30-day trial, please mention the code JONBROWN to receive an additional 5% discount on your first year of annual service. This offer is exclusive to new customers and can be applied at the time of sign-up. The discount will be automatically reflected in your account upon activation of the annual plan.
Hancock Walkthrough and Review
Back in 2016, Hancock was created at the MacAdmins PSU conference during the Hackathon, where it took home the award for "Biggest Time Saver". We'd like to extend our thanks to Jeremy Agostino for developing a great little utility that has since become an essential tool for many.
