« Connecting 10.5 to Stanford's LDAP | Main | Conferences of note »

Add a free, signed SSL certificate to Leopard Server

SSL certificates are a necessary component for using WebAuth and for serving any web pages using https. ITS provides some guidelines for getting SSL certs, with information on how to procure certs from Stanford's "certificate authority of choice" --essentially the third-party vendor with whom ITS works most often. There's even a nice web form to streamline the process. InstantSSL is fine, but they cost $83 per two-year certificate. This is the best choice if you have sensitive data and need that level of confidence.

But for other occasions, there are alternatives worth considering. You can use a self-signed certificate, but that might just annoy or confuse your users with browser warnings about untrusted certificates (and they don't enjoy a high degree of trust). Or, you can use ipsCA, which is a Spanish certificate authority that offers free two-year SSL certificates to educational institutions. Their root certificate (IPS SERVIDORES) is on just about every computer out there, too, so it works almost every browser. In other words, it's legit.

Here are some simplified instructions on how to implement SSL on your Leopard web server on a SUnet host. We'll start with generating the certificate signing request (CSR).

The process is:

  1. Create a certificate signing request (CSR).
  2. Send that to a Certificate Authority (CA).
  3. Import the returned, signed certificate into your server.
  4. Import the CA's intermediary certificates to your server.
  5. Make a quick change to your httpd.conf file.

Step 1:
Launch Server Admin and select the hostname of the server with which you want to work; choose the Certificate icon to display the "Default" self-signed certificate. You'll need to edit this to something appropriate for your server. It's important that you set the "Common Name" field to the fully qualified domain A-name of your server. Your Organization is Stanford University, and your Organizational Unit can be anything like "Graduate School of Business" or "IT Services". The City (such as it is) is Stanford, and you can use the USPS abbreviation for California. The private key size of 1024 is fine for this purpose.

Once you've edited your self-signed Default certificate, you next need to generate the CSR. This is even easier! In the same pane in Server Admin is the little sprocket pull-down with the option to "Generate a Certificate Signing Request (CSR)...". A window will pull down with a field to enter an email address. Don't bother with this. Just drag the certificate icon to your desktop. (Granted, this isn't obvious.)

Sitting on on your desktop is a text clipping that looks like this:


Step 2:
You'll "purchase" the certificate. Head on over to the ipsCA "Buy SSL Certificates" website and start plugging in your relevant information. It's pretty straightforward, but be sure to use your Stanford information like your Stanford email address and office address. Be sure to select the educational 2-year certificate option among the radio buttons. You can put your own information under the "technical contact" fields. And since MOSX includes Apache with mod_ssl as the web server(s), choose accordingly in the server type pull-down menu.

Next, drag your text clipping into the web form. Be sure to include the "---BEGIN CERTIFICATE REQUEST...---" and "---END...---" lines!

After reviewing your work, click the submit button and go get a cup of coffee. Behind the scenes, the Spanish robots at ipsCA will look up the name of your server and determine who's responsible for verifying your server's association with Stanford. You'll quickly get an email asking your to confirm your request, which will include a web link back to the ipsCA website. Since the whois lookup will show that a Stanford Admins list email address is the registrar and technical contact of your server's domain name, choose the default contact selection to have ipsCA contact the university to confirm your details. This is why it's important to have included your Stanford email address and contact information, so the SUNet admins can vouch for you.

Depending on the day and time of your web submission, there might be a delay before the SUNet admins respond to ipsCA's verification request. If you do this early in the morning on a weekday, however, the process should move along quite quickly.

Step 3:
Usually within a couple hours, you should get an email from ipsCA with your new SSL certificate. The email will come with instructions, but if you have a stock Leopard Server, it might be better to do it "the Mac way" instead of using their generic Apache instructions.

The cert will come as an attached txt file. Open that text file, select and copy the whole thing (it will sort of look like your CSR text clipping). Back in Server Admin, select that self-signed certificate you edited earlier in Step 1, go to that little sprocket thing again, and this time choose "Add Signed or Renewed Certificate from Certificate Authority...". You'll have a window drop down--just paste your clipboard into that field. That's your signed certificate. Server Admin will put all the parts where they belong for the purposes of using SSL for web services.

Step 4:
If you just stopped here, you'd have a signed certificate on your server, but if you investigated it using Keychain Access, you'll see that it says (in red letters) "This certificate was signed by an unknown authority." No worries; you need add the intermediary certificate from the Spanish CA to your server. That's easy, too. Visit and download the bundle CA file onto your server. It will be a file named "IPS-IPSCABUNDLE.CRT —just double-click on that file. Keychain Access should launch and ask you if you want to import it. Put it in your System Keychain (or your x509 keychain, if you prefer). If you re-investigate your new SSL certificate in the System keychain, it should now read as valid.

Step 5:
The last bit is making a tweak to your Apache httpd configuration file. If you didn't do this, your users will get a notice that the certificate on the server is signed by an untrusted authority.

Remember that Apple ships both Apache 1.3 and Apache 2.2 with Mac OS X 10.5 Server; Apache 2.2 is the default with Leopard, and is managed by Server Admin. The location of your primary httpd.conf file is now in /etc/apache2 therefore.

For organization and convention, let's make a conf directory in /etc/apache2. Copy IPS-IPSCABUNDLE.crt into /etc/apache2/conf. (You'll need to do this as root.)

Still as root, make a backup of /etc/apache2/httpd.conf, then open it in your favorite text editory. You'll need to make the following modification, shown here as one line in red.

<IfModule mod_ssl.c>
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    SSLPassPhraseDialog exec:/etc/apache2/getsslpassphrase
    SSLSessionCache shmcb:/var/run/ssl_scache(512000)
    SSLSessionCacheTimeout 300
    SSLMutex file:/var/log/apache2/ssl_mutex
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    AddType application/x-x509-ca-cert crt
    AddType application/x-pkcs7-crl crl
    SSLCertificateChainFile /etc/apache2/conf/IPS-IPSCABUNDLE.crt

After saving httpd.conf, test out your Apache 2.2 configuration file by invoking this command.

bash-3.2# apachectl -t
Syntax OK

If you get an error, it should pin-point the line containing the mistake. Make sure you've moved the intermediate certificate into the right directory, and that your httpd.conf file is clean.

Back in Server Admin's Web module, select your website and click the security tab to enable SSL, choosing your server's new SSL cert from the pull-down menu. Fire up Apache and test it out. Good luck!


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


This page contains a single entry from the blog posted on March 20, 2008 10:20 AM.

The previous post in this blog was Connecting 10.5 to Stanford's LDAP.

The next post in this blog is Conferences of note.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Traffic analyzed by Google Analytics. Site powered by Movable Type 4.32-en