OS X Server: Access Controls might prevent a certificate identity from working with Server services

After installing a Certificate Identity in the System keychain, the certificate appears in Server App or Server Admin. However, the server might not use the selected certificate and connections that use the selected certificate might not complete.

This article has been archived and is no longer updated by Apple.

Specific Symptoms

OS X Server

After selecting the certificate from the Certificates pane in Server App, the drop down menu may switch to a previously set certificate, or to Custom. A connection attempt using this certificate might not work.

Lion Server

After setting the certificate in the Settings pane of the Server app, it might show Custom settings instead. After clicking the Edit key to show the custom SSL Certificate settings, you might notice all services are set to use the new certificate, except for Web. If you attempt to set the certificate to be used with Web, it changes momentarily, then unexpectedly sets itself back to None. A connection attempt using this certificate might not work.

Mac OS X Server v10.6

From Server Admin's Certificates pane you can see the list of certificates available to the Server, which include the newly imported certificate. When setting the server to use this certificate you might notice that your settings are kept, but a connection attempt using this certificate might not work.

How to resolve this issue

The certificate that was imported into the System keychain may have Access Controls that prevent the server from accessing the private key component of the identity. This restriction prevents the necessary export of the private key to /etc/certificates.

Use Keychain Access to remove the restrictions and allow the private key to be exported to work with Server services.

  1. Open Keychain Access from /Applications/Utilities.
  2. Select the System keychain from the Keychains pane.
  3. Choose Certificates from the Category pane on the lower left.
  4. Click the arrow next to the imported certificate.
  5. Double click the private key.
  6. Switch to the Access Control tab.
  7. Select the option "Allow all applications to access this item."
  8. Click Save Changes and authenticate as a local administrator when prompted.
  9. Restart the computer.

You can view the list of installed certificates readily available for Server services by viewing the directory /etc/certificates. The naming scheme for the certificate is to use the common name of the certificate followed by the SHA1 hash from the certificate. There should be four files for each valid certificate identity: The certificate trust chain (chain.pem), the certificate (cert.pem), the key (key.pem) and the concatenated certificate with its private key (concat.pem). If any of the four components are missing, the services will be unable to work with the corresponding certificate.

Published Date: