This document explains how to enable the mail service of Mac OS X Server 10.2 to make Secure Socket Layer (SSL) connections happen automatically.
Summary
Setting up automatic SSL connections for the mail service of Mac OS X Server 10.2 requires these basic steps:
Generating a CSR and Creating a Keychain
You generate a CSR and create a keychain by using the command-line tool certtool. A CSR is a file that provides information needed to issue an SSL certificate.
2. In the Terminal application, type the following two commands, pressing Return after each one:
cd /private/var/root/Library/Keychains/
/usr/bin/certtool r csr.txt k=certkc c
This begins an interactive process that generates a Certificate Signing Request (CSR) in the file csr.txt and creates a keychain named certkc.
3. In the New Keychain Passphrase dialog that appears, enter a passphrase or password for the keychain you are creating; enter the password or passphrase a second time to verify it; and click OK. Remember this passphrase, because later you must supply it again.
4. When 'Enter key and certificate label:' appears in the terminal, type a one-word key, a blank space, and a one-word certificate label; then press Return:
For example, you could type your organization's name as the key and mailservice as the certificate label.
5. Type r and press Return when you see the following displayed in the Terminal window:
Please specify parameters for the key pair you will generate.
r RSA
d DSA
f FEE
Select key algorithm by letter:
6. Type a key size at the next prompt in the Terminal window, then press Return.
Valid key sizes for RSA are 512..2048; default is 512
Enter key size in bits or CR for default:
Larger key sizes are more secure, but require more processing time on your server. Key sizes smaller than 1024 are not accepted by some certificate issuing authorities.
7. Type y to confirm the algorithm and keysize at the next prompt (or type any other key to cancel the selection).
You have selected algorithm RSA, key size (size entered above) bits.
OK (y/anything)?
8. Type b when requested to specify how this certificate will be used, then press Return.
Enter cert/key usage (s=signing, b=signing AND encrypting):
9. Type s when requested to select a signature algorithm, then press Return.
...Generating key pair...
Please specify the algorithm with which your certificate will be signed.
5 RSA with MD5
s RSA with SHA1
Select signature algorithm by letter:
10. Type y when requested to confirm the selected algorithm, then press Return.
You have selected algorithm RSA with SHA1.
OK (y/anything)?
11. Enter a phrase or some random text at the next prompt, which is used as a challenge string, then press Return.
...creating CSR...
Enter challenge string:
12. The series of five prompts request the various components of the certificate's Relative Distinguished Name (RDN). Enter the correct information at each prompt, then press return after each entry.
For Common Name, enter the server's DNS name, such as server.example.com.
For Country, enter the country in which your organization is located.
For Organization, enter the organization to which your domain name is registered.
For Organizational Unit, enter something similar to a department name.
For State/Province, enter the full name of your state or province.
13. Type y to confirm the information you entered, then press Return (type any other key if the information is not correct).
Is this OK (y/anything)?
When 'Wrote (n) bytes of CSR to csr.txt' appears, you have successfully generated a CSR and created the keychain that mail service needs for SSL connections.
Obtaining an SSL Certificate
You must purchase an SSL certificate from a certificate authority such as Verisign (http://www.verisign.com) or Thawte (http://www.thawte.com). You can do this by completing a form on the certificate authority's Web site. When prompted for your CSR, open the csr.txt file using a text editor, such as TextEdit, copy and paste the contents of the file into the appropriate field on the certificate authority's Web site.
When you receive your certificate, save it in a text file named sslcert.txt. You can do this with the TextEdit application. Make sure the file is plain text, not rich text, and contains only the certificate text.
Importing the Certificate Into the Keychain
To import SSL certificates into the keychain you created, use the command-line tool certtool.
2. Open the Terminal
3. Go to the directory where the saved certificate file is located.
For example, type cd /private/var/root/Desktop if the certificate file is saved on the desktop of the root user.
4. Type certtool i sslcert.txt k=certkc , then press Return:
Using certtool this way imports a certificate from the file named sslcert.txt into the keychain named certkc.
A confirmation that the certificate was successfully imported appears on the screen:
...certificate successfully imported.
Creating a Passphrase File
To create a Passphrase file, you will use TextEdit, then change the privileges of the file using the Terminal. Once this is done, mail service uses the passphrase file to unlock the keychain automatically.
2. In TextEdit, create a new file and type the passphrase exactly as you entered it when you created the keychain. Do not press Return after typing the passphrase.
3. Make the file plain text by choosing Make Plain Text from the Format menu.
4. Save the file in the root keychain folder.
path: /private/var/root/Library/Keychains/.
5. Name the file cerkc.pass.
6. In the Terminal change the access privileges to the passphrase file so only root can read and write to this file.
Type the following two commands and press Return after each one:
cd /private/var/root/Library/Keychains/
chmod 600 certkc.pass
The mail service of Mac OS X Server 10.2 can now use SSL for secure IMAP connections.
7. Log out as root.
Notes