August 2010 Archives

Retrieving the password for Server Admin-generated Keys

| No Comments | No TrackBacks

With Mac OS X Server, you can use Server Admin and the Certificate Assistant tools to create your private key for your server. In fact, when you start the server up, out of the box, one has already been created for you. You can use this key to create a certificate signing request (CSR) to send to your certificate authority (CA) to sign. If you do this, you will get a spiffy signed cert back, appropriate for securing your web server, chat server or a variety of other uses.

If you try to use this cert with your own version of Apache, however, you will encounter the default situation where httpd will ask for the password of that .crt file during the startup procedure.

Many admins choose to delete the password from this certificate to eliminate administrator intervention when restarting the service. The usual way this is done is to run the command openssl rsa -in /path/to/mycert.crt -out /output/path/ofmyclean.crt. (or the variant, openssl rsa -in key.pem -out newkey.pem if you are working with .pem-format certificates, which are the default if you use Server Admin.app to generate certs).

To run this command, you need to know the original password.

Intuitively, you might think that the password MOSXS uses to create this private key (and thus  used to create the signed cert) would be the initial root password, or maybe the first eight characters of the serial number. Instead, it's a randomly generated password created by the system.

You can retrieve this password using the Keychain Access application. Search for the "Mac OS X Server certificate management" object of the type "application password". Double-click to examine this object and to reveal the password used by the system.

With this information, you can proceed with the openssl command to delete the password from your signed certificate. Note that you needn't have to worry about this if you're using the built-in Mac OS X services, since those programs will automatically consult the Keychain to get the password for the .crt file when starting up.

Binding your 10.6 Mac to the Campus OpenLDAP directory

| No Comments | No TrackBacks

These instructions are Snow Leopard-specific. First, download the Stanford Directory Utility Template installer. It will install a property list file into your home directory, which will make configuring your Mac to use the campus OpenLDAP directory system even easier than before. This template holds the record and attribute matching information, so you don't need to edit much.

Next, launch Directory Utility. It's located in /System/Library/CoreServices folder. Edit the LDAPv3 service to add a new directory system. For the server name, enter ldap.stanford.edu in the field. The program will query the campus OpenLDAP directory, then ask you to choose a template for LDAP mapping. Since you just installed the Stanford LDAP template, choose that from the pull-down menu. Enter cn=accounts,dc=stanford,dc=edu for the searchbase.

You can configure other options as you see fit. You should also install the Kerberos Configuration Utility from the Essential Stanford Software site.

Enhanced by Zemanta

About this Archive

This page is an archive of entries from August 2010 listed from newest to oldest.

February 2010 is the previous archive.

November 2010 is the next archive.

Find recent content on the main index or look in the archives to find all content.