Mac OS X Server 10.4: How to renew a signed certificate

Learn how to renew a signed certificate in Mac OS X Server 10.4 or later. A server certificate allows secure transactions between the server and clients. Certificates are provided by Certificates Authorities--organizations that are trusted to issue safe certificates. Some Certificate Authorities (CA) include Thawte, Verisign, and Entrust. Certificates normally expire after a period of time for security reasons.

Renewing an expired certificate

Important: These steps will leave your server without a certificate until the new certificate is issued. You can use a self-signed Certificate Authority and certificate to fill the gap. The clients will need the CA certificate to be added.

  1. Refer to the Mac OS X Server Security Configuration Guide (chapter 8) to delete the expired certificate.
  2. Refer again to the Mac OS X Server Security Configuration Guide to request a certificate from a CA and add it.

Renewing a certificate that has not yet expired

  1. Open Terminal (/Applications/Utilities).
  2. Execute this command to create a Certificate Signing Request:

    certtool r certrequest.pem k=CertRequest.keychain c

    Note    : You cannot use Server Admin because it does not allow two certificates with the same common name.
  3. Open Keychain Access (/Applications/Utilities).
  4. Click Show Keychains.
  5. Select CertRequest.
  6. Export the private key.
  7. Submit the certificate "certrequest.pem" to the Certificate Authority (CA) of your choice--the CA will explain you what to do with the CSR in order to purchase or renew a certificate.
  8. After the CA provides you with a new certificate (typically it is mailed to you), log in as root on the server.
  9. Open Keychain Access.
  10. Locate the keys related to the existing certificate and export them (this works only as root).
  11. Log out.
  12. Open Server Admin.
  13. In the Computers & Services list, select the server you are renewing a certificate for.
  14. Click Settings.
  15. Click Certificates.
  16. Delete the existing certificate.
  17. Click Import.
  18. Select the certificate file and the private key file (the one exported in step 6 above).
  19. Click Import.

If the import does not succeed, open the system log and look for the text "[CertificateManager importIdentity:]" to determine the cause of the issue and resolve it. You can import back the expiring certificate using the private key exported in step 10.

 

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information.

Published Date: Oct 7, 2016