SSL and Mac OS X 10.7 Lion Server

First posted on the 21st June, 2012 – IT
Last modified on the 21st June, 2012, at 9:59 pm

Although basic web server functionally is provided in Mac OS X 10.7 migrating to the full server has a number of advantages. Firstly there is no need to dig around in the apache config files to enable PHP and other things as well as the ability to setup hosting multiple websites from different directories and using different SSL certificates.

The big trick to unleashing the power of 10.7 server is to install the Server Admin Tool (Server Admin.app) and not just the Server tool (Server.app) when you setup the server! This took me ages to work out and is not well documented. The second thing is to RTFM or more precisely read the online manual for the Server Admin tool.

So having got the web server up and running I Installed my old self signed SSL certificate and everything was OK. However, I really wanted a real SSL certificate to give my website a more professional look. Especially if arriving at my site in IE on Windows.

Recently I found a company called StartSSL which offers free SSL certificates but more importantly is recognised as a default authorised certificating authority by the most popular web browsers. In practice what this means is that when visitors navigate to my site using HTTPS they will no longer have to manually accept my self signed certificate. Instead the the SSL certificate issued from StartSSL is automatically accepted as it is authenticated against a registered certificating authority.

To create a free certificate for www.mattparkinson.eu the following was done:

  1. go to StartSSL
  2. create an account and ID private key (this is used to log in to site in future)
  3. validate your domain by sending email to postmaster@domain-associated-to-ssl-certificate
  4. generate a private key
  5. decrypt the private key with openSSL or the online tool provided by StartSSL
  6. generate SSL certificate
  7. generate pxkt file using private key and certificate

In order to prove ownership of the domain you need to have an email server setup to receive email on the domain for which you need the SSL certificate. Although I though this would be trivial to setup in 10.7 server it was a bit more complicated than expected.

Add the certificate to the server by doing the following:

  1. in server select servers under hardware
  2. select settings
  3. select edit under ssl certificate
  4. select manage certificates from the settings menue
  5. click the plus and select import a certificate identity
  6. drag and drop the pxtk file for www.example.com, make sure all three fields are filled and select ok.

To add the ssl certificate to the web server:

  1. open server
  2. select the web server service
  3. select the web site from the list for which the ssl certificate was created
  4. select the www.example.com-StarSSL certificate
  5. make sure port is set to 443

As the email server has a different hostname a separate SSL certificate has to be created and separately installed using the same procedure as before. In Server Admin.app:

  1. select sever under hardware
  2. select the mail service
  3. select the settings tab and under advanced select the mail.exampl.com = ssl certificate
  4. set SMTP to use SSL if possible i.e. allow receiving without and MAP/PP to require

Now if we check the SSL certificates associated with the hardware in server.app we see we have a custom configuration www.ssl for webserver and mail.ssl for email server.

Now when we visit the site in Safari over https and click the lock icon in the top right to view the certificate used SSL encryption we now have a green tick saying it was externally authenticated. Similarly option to SSL encrypt email is now possible.