Blogs‎ > ‎

Backing up and restoring SSL certificates on an Apple Server

posted Oct 10, 2011, 6:02 PM by Ian Curtinsmith   [ updated Oct 10, 2011, 7:10 PM ]

If you have ever created or imported a SSL certificate you will need to be able to back this up as well as move this SSL certificate to another machne from time to time.


Apple changed the way certificates are stored after OSX 10.6 Server


I suggest having a read of the following 


http://manuals.info.apple.com/en_US/ServerAdmin_v10.6.pdf

https://help.apple.com/advancedserveradmin/mac/10.7/


However, it does not tell you how to backup and restore your certificates 


Under 10.5 server


The certificates lived in /etc/certificates

In this case

domainname.com.au.chcrt

domainname.com.au.crt

domainname.com.au.crtkey

domainname.com.au.key

The ones you need being

domainname.com.au.crt

domainname.com.au.key 


You can import the certificates on a 10.5 or 10.6 server under the Server Admin select import and select the .crt file for the certifcate and .key file for the private key.

So anyone wishing to backup or restore there SSL certificates would simply backup /etc/certificates/ 


However in 10.6 server and upwards


The certificates still live in /etc/certificates but the private key is now encrypted and the file format changed to .pem

In this case

domainname.com.au.*************************************.cert.pem

domainname.com.au.*************************************.chain.pem

domainname.com.au.*************************************.concat.pem

domainname.com.au.*************************************.key.pem

If you were backing up the server you would need to copy the

/etc/certificates/

/Library/Keychains/System.keychain : which controls the password to decrypt the private key


The private key "domainname.com.au.*************************************.key.pem" is encrypted by the OSX Server admin on import / creation time

To retore the ssl certificate you need to find the encryption password key

Lauch the keychain Access program and search for "Name : Mac OS X Server certificate management, Kind : application password"

If you have multiple entires in here select the one with the Date Modified being the day you imported the certificate

Double click and select "Show password" and enter the password of the server

This will give you the password to decrypt the private key. It should be in the form of numbers and letters as ********-****-****-****-************

You can now import the SSL certificate onto another server whether that be a backup server in case or primary failure or your new server to replace your old one

You do this in the Server Admin program under certificates. Select the + button and import

domainname.com.au.*************************************.cert.pem, which is the .crt file "certificate"

domainname.com.au.*************************************.key.pem, which is the .key file "private key"

Drag the domainname.com.au.*************************************.cert.pem and domainname.com.au.*************************************.key.pem. "the encrypted private key"

It will ask you for a password, enter the password found above in the keychain access program

For other 3rd party application such as Kerio Mail server you may want to use this key as well, to do is it needs to be decrypted

To decrypt the ssl key you will need to be in the terminal {sub domainname.com.au.************************************* for your certificate

$ sudo openssl rsa -in /etc/certificates/domainname.com.au.*************************************.key.pem -out /etc/certificate/key-decrypt.pem

Your decrypted private key is now found at /etc/certificate/key-decrypt.pem

You can now use this decrypted private key with your certificate key to import into another 3rd party program on that server such as Kerio Mail or you can use this to import into the Server Admin without asking for your password key


NOTE :

For those that have a singed certificate, that is not signed by a direct root authority you will need to also copy their intermediate chain certificate and import that into your keychain on the new server. Generally speaking you really don't need to back this up as intermediate chain certificate are easily available / downloadable on the website of the signer.


I posted the above also at : http://www.afp548.com/article.php?story=20100425082436137

Comments