Mac OS X Server 10.4: How to renew a signed certificate
Learn how to renew a signed certificate in Mac OS X Server 10.4 or later. A server certificate allows secure transactions between the server and clients. Certificates are provided by Certificates Authorities--organizations that are trusted to issue safe certificates. Some Certificate Authorities (CA) include Thawte, Verisign, and Entrust. Certificates normally expire after a period of time for security reasons.
Renewing an expired certificate
Important: These steps will leave your server without a certificate until the new certificate is issued. You can use a self-signed Certificate Authority and certificate to fill the gap. The clients will need the CA certificate to be added.
- Refer to the Mac OS X Server Security Configuration Guide (chapter 8) to delete the expired certificate.
- Refer again to the Mac OS X Server Security Configuration Guide to request a certificate from a CA and add it.
Renewing a certificate that has not yet expired
- Open Terminal (/Applications/Utilities).
- Execute this command to create a Certificate Signing Request:
certtool r certrequest.pem k=CertRequest.keychain c
Note: You cannot use Server Admin because it does not allow two certificates with the same common name.
- Open Keychain Access (/Applications/Utilities).
- Click Show Keychains.
- Select CertRequest.
- Export the private key.
- Submit the certificate "certrequest.pem" to the Certificate Authority (CA) of your choice--the CA will explain you what to do with the CSR in order to purchase or renew a certificate.
- After the CA provides you with a new certificate (typically it is mailed to you), log in as root on the server.
- Open Keychain Access.
- Locate the keys related to the existing certificate and export them (this works only as root).
- Log out.
- Open Server Admin.
- In the Computers & Services list, select the server you are renewing a certificate for.
- Click Settings.
- Click Certificates.
- Delete the existing certificate.
- Click Import.
- Select the certificate file and the private key file (the one exported in step 6 above).
- Click Import.
If the import does not succeed, open the system log and look for the text "[CertificateManager importIdentity:]" to determine the cause of the issue and resolve it. You can import back the expiring certificate using the private key exported in step 10.
Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information.