So, wildcard SSLs are available from several people, but the one I was working with came from mactechdomains.com
When you get your certificate, you'll get a .crt and a intermediate key from the issuing CA. This is great for the machine that you started the request from (i.e., you went to Server Admin, filled in the details, and clicked the "Request certificate from a CA" and you had a handy csr to send them. You drop the test from your crt into the already self-signed certificate in server admin and you're away to the races.)
The fun begins when you want to use your wildcard certificate on other machines. First, make sure that the intermediary certificate (this may be called something like yourCA_intermediate_bundle.crt) is in the System keychain and the X.509 Anchors.
Now you don't have to make another request, but how to get that info in there. The key (pardon the pun) lives in /etc/certificates on the machine that your SSL cert is already up and running on. Copy over the *.youdomain.com files to your next server and put them into /etc/certificates. In Server Admin, chose import rather than a new certificate and you're going to use the *.yourdomain.com.crt in the certificate field, and the *.yourdomain.com.key in the key field. If you used a passphrase when you first generated your private key you'll have to enter it in the passphrase field. Leave the 3rd field blank, click import, and Bob should be your uncle.
Ah, now, you've restarted your web services after implementing your new certificate and Server Admin is now telling you that web cannot start... If this isn't your first certificate on this machine you may be running into a... uh, feature! There's a gotcha in the way that OS X Server is reading the keys of your certificates and it's causing an issue if you have two private keys both with pass phrases. The key (pardon the pub again!) here is to strip that passphrase out of your private key:
server:/etc/certificates root# cp \*.yourdomain.com.key \*.yourdomain.com.key.passphrase
server:/etc/certificates root# openssl rsa -in \*.yourdomain.com.key.passphrase -out \*.yourdomain.com.key
Enter pass phrase for *.yourdomain.com.key.passphrase:
writing RSA key
So with this, you'll be deleting the newly added cert from Server Admin, stripping the passphrase, re-importing the cert with it's newly naked passphrase, and then you can go back in and apply this certificate to your web services and be able to restart web services without it complaining at you.
And that my friends, is what comes out of a day of banging your head against a very solid brick wall with determination to break it down....
Blogged with Flock
1 comment:
So THAT'S where that hole in my brick wall came from!
Post a Comment