Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Adding a custom SSL Certificate Internet
We have a private SSL CA which is used internally for things like code signing and providing SSL for our mail and private web servers. Unfortunately, this means that certain interface-challenged applications like OS X's Mail.app won't connect using SSL because they don't trust the certificate. Additionally, apps which might allow you to continue tend to display very scary messages, which results in a lot of questions with multiple users on the same machine.

The certificate store is in: /System -> Library -> Frameworks -> CoreFoundation.framework -> Versions -> A -> Resources -> RootCerts.pem

Appending the PEM format key to the end of this file will fix this problem. Note that this requires root and, as always, you should double-check everything before hitting enter. In particular, if you use cat make sure that you don't overwrite that file using > instead of >>. If your certificate isn't in PEM format (mine was DER), you can convert it with OpenSSL. First test with:
openssl x509 -in my-cert.cer  -inform DEN -text
If that displays the expected info, then:
openssl x509 -in my-cert.cer  -inform DEN -out my-cert.pem -outform PEM
[Editor's note: I have not tried to test this as it would first require creating my own SSL certificate ... and I wouldn't know where to start with that task!]
    •    
  • Currently 3.25 / 5
  You rated: 1 / 5 (4 votes cast)
 
[19,395 views]  

Adding a custom SSL Certificate | 11 comments | Create New Account
Click here to return to the 'Adding a custom SSL Certificate' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Creating ones own SSL certificate.
Authored by: monkey on Feb 24, '02 01:01:50PM

The faq section on the Apache-ssl web site has a brief walk-through on creating you own 'test' certificate: http://www.apache-ssl.org/#FAQ



[ Reply to This | # ]
SSL at afp548
Authored by: JohnnyMnemonic on Feb 24, '02 03:05:38PM

AFP 548 has an article on creating your own SSL certificate. The article is under
/Articles/The Web. Give www.afp548.com a look--a new resource for OS X Server related information.

[ Reply to This | # ]
Are you sure everything is ok?
Authored by: etwoy on Feb 25, '02 04:41:58PM
As I'm doing this exact thing, and Mail.app has no problem with it whatsoever... Did you make yourself a Certificate Authority certificate as well? This is necessary for a proper self-signed certificate... Does the name defined in the certificate match the name by which you are contacting the server ? In my experience, it's only Internet Explorer and Entourage/OE that have problems with self-signed certificates on Macs, as they (unlike most browsers) have no facility to directly add a CA to your list of CA's. To get around this, you can either: * From the CLI export your CA certificate in DER format, then put it on a website. * Using IE on a PC, access a website running on the box with your self-signed certificate, and you will be prompted to examine the certificate and asked whether to add it to the list of trusted CA's. In the middle of this process, you can choose to export the certificate for the CA in DER format. Put this on a website. Once you've done one of these (the second way is easier, but requires a web server with SSL running on the box, the former is a bit more difficult to work out the correct syntax) access the website where you have put the DER certificate using Internet Explorer. You will then be prompted whether you wish to trust the new Certificate Authority or not. (For an example, look at one of my certificates). Once you've done this, Entourage/OE will trust your CA and you can run an SSL connection without complaints. As I said at the beginning, Mail.app seems to have no problems with a self-signed certificate in my environment. Other browsers also will prompt you as to whether you wish to add the CA, but IE is kind of braindead and you have to do it in this roundabout manner...

[ Reply to This | # ]
Are you sure everything is ok?
Authored by: etwoy on Feb 25, '02 04:52:07PM

btw, for clicking on that link to one of my certificates, do it with IE. Omniweb doesn't seem to work, but also has no problems connecting to a self-signed certificate SSL site.



[ Reply to This | # ]
Are you sure everything is ok?
Authored by: acdha on Feb 25, '02 05:24:05PM
Did you make yourself a Certificate Authority certificate as well? This is necessary for a proper self-signed certificate...
Yes - the CA key is what I added to my store, as we use it to sign keys for a bunch of internal stuff we don't feel like paying Verisign to use.
Does the name defined in the certificate match the name by which you are contacting the server ?
Yes - I issued those servers certificates which match the CNAME they're accessed by. And yes, IE/OE are a pain in the ass to add the certificate to. (Even worse than Eudora, which just quietly gives up) When I get some spare time, I want to find where IE hides its certificates and write a little installer to add our certificates there.

[ Reply to This | # ]
Are you sure everything is ok?
Authored by: etwoy on Feb 26, '02 02:48:55AM

Well I dunno what's going wrong with Mail.app in your case then, I've just got a stock standard 10.1.3 install on my laptop (hosed it by installing too much stuff from Darwin CVS... :( and from watching my logs, the SSL connection gets negotiated just fine...

My config is UW-imapd running under an stunnel on a 10.1.2 box btw. Most of my staff use Entourage, and it works better with an stunnel than it does with the native SSL support compiled into imapd. still haven't worked out why this is the case...




[ Reply to This | # ]
Are you sure everything is ok?
Authored by: etwoy on Feb 26, '02 03:09:18AM

Well I dunno what's going wrong with Mail.app in your case then, I've just got a stock standard 10.1.3 install on my laptop (hosed it by installing too much stuff from Darwin CVS... :( and from watching my logs, the SSL connection gets negotiated just fine...

My config is UW-imapd running under an stunnel on a 10.1.2 box btw. Most of my staff use Entourage, and it works better with an stunnel than it does with the native SSL support compiled into imapd. still haven't worked out why this is the case...




[ Reply to This | # ]
x509 certificates
Authored by: legne666 on Feb 25, '02 05:03:40PM

I notcied that this trick is good for the SSL stream between the client and IMAP server... however, does this also take care of the signing and (de)encrypting of email with the cert?

At work, we are requires to digitally sign our email, and cannot read others' email without their cert, etc. I have not been able to find a solution that does this on the Mac except for Netscape 4.x running in Classic mode (ick).

I would really love if Mail.app (or any other MacOSX mail client) could use certificates... THEORETICALLY Mozilla is doing this, but I would rather use Mail.app or whatever.

Anyone got suggestions?



[ Reply to This | # ]
x509 certificates
Authored by: etwoy on Feb 26, '02 03:11:52AM

You could use PGP...

http://www.sente.ch/software/GPGMail/index.html

works fine with Mail.app, since SSL support came in with 10.1.3, I'm feeling quite happy with Mail.app and this PGP extension to it.



[ Reply to This | # ]
for panther
Authored by: blueHal on Oct 30, '03 02:44:05PM
The instructions in the apple knowledge base worked for me.

I did have to download my server's certificate manually using openssl s_client -connect servername:993, then copy and paste stuff between BEGIN CERTIFICATE and END CERTIFICATE into a file named my_servers_key.cer before dragging because mail.app would get wedged when I tried to drag.

[ Reply to This | # ]

Adding a custom SSL Certificate
Authored by: tinker on Nov 26, '03 11:57:27PM
Or visit this site for instructions on how to get a certificate, import it into Netscape, and export it to Mail. Takes about ten minutes and is a minor pain (but the directions are clear).

[ Reply to This | # ]