OS X Server: Saving a certificate identity to the system keychain does not work with Server services
After installing a Certificate Identity into the System keychain, the certificate appears in Server App or Server Admin, however the server services may not utilize the selected certificate. It may appear that the certificate is being used for the services, however when connecting to the service, it may not establish a connection.
OS X Server (Mountain Lion) symptoms: After selecting the certificate from the Certificates pane in Server App, the drop down menu may switch to a previously set certificate or to Custom. If a connection is attempted to a service set to use the new certificate, it may not establish the connection.
Lion Server symptoms: After setting the certificate in the Settings pane of the Server app, it might show Custom settings instead. After clicking the Edit key to show the custom SSL Certificate settings, you may notice all services are set to use the new certificate, except for Web. If you attempt to set the certificate to be used with Web, it may appear to change, then unexpectedly change back to None. If a connection is attempted to a service set to use the new certificate, it may not establish the connection.
Mac OS X Server v10.6 symptoms: From Server Admin's Certificates pane you can see the list of certificates available to the Server, which will include the newly imported certificate. When setting the Server services to use this certificate you may notice that the settings will be kept, but a connection attempted to a service that is set to use the new certificate may not work.
The certificate that was imported into the System keychain may have Access Controls that prevent the server from accessing the private key component of the identity. This restriction prevents the necessary export of the private key to /etc/certificates.
Use Keychain Access to remove the restrictions and allow the private key to be exported to work with Server services.
- Open Keychain Access from /Applications/Utilities.
- Select the System keychain from the Keychains pane on the left.
- Choose Certificates from the Category pane on the lower left.
- Click the arrow next to the imported certificate.
- Double click the private key.
- Switch to the Access Control tab.
- Choose the option "Allow all applications to access this item."
- Click Save Changes and authenticate as a local administrator when prompted.
- Restart the computer.
You can view the list of installed certificates readily available for Server services by viewing the directory /etc/certificates. The naming scheme for the certificate is to use the common name of the certificate followed by the SHA1 hash from the certificate. There should be four files for each valid certificate identity: The certificate trust chain (chain.pem), the certificate (cert.pem), the key (key.pem) and the concatenated certificate with its private key (concat.pem). If any of the four components are missing, the services will be unable to work with the corresponding certificate.