In the wake of the recent Heartbleed bug, countless systems were left vulnerable to having their private keys compromised. This flaw was just that -- a flaw in the code. This bug had unintended consequences, mostly due to the widespread use of the affected version of the OpenSSL software.
Protecting your OS X Server communications is easy to do with the use of SSL certificates from a 3rd-party certification authority (CA). These low-cost certificates encrypt email, Wiki, VPN, IM and an assortment of other web-based services, ensuring communications are sent (and received) securely. Additionally, 3rd-party CAs provide clients peace of mind by assuring them that the server they're communicating with has been independently verified to provide the services it claims to offer.
Let's take a look at how to add an SSL certificate to OS X Server:
- Launch Server.app and select the server you wish to manage.
- Login with administrative credentials.
- Click on Certificates from the Server pane (Figure A).
- Click the plus sign [+] to initiate the Certificate Signing Request (CSR) wizard.
- Follow the steps after clicking Next in the CSR wizard to create a .CSR file, which will be used verify your server with the 3rd-party CA and generate a valid SSL certificate for your organization (Figure B).
- Enter the information for your organization when prompted, and then click Next (Figure C).
- The resulting CSR hash will be the encrypted version of the details entered on the previous screen. It's important to save this file, since some CAs accept a file upload for verification but others request that you copy and paste this hash on their registration page. Click the Save button to save the hash to file, and then click Finish to finalize the CSR process (Figure D).
- Once the request process is completed, your CSR will by greyed out and have a pending status under the Trusted Certificates section (Figure E).
- If you need to make changes to the pending CSR, click on it once to highlight it, then click on the cogwheel at the bottom of the window to access the drop-down menu, and select View Certificate Signing Request (Figure F).
- From this screen, there are three options:
- Click the Edit button to modify any .CSR information
- Click the Save button to save the .CSR file (in case it wasn't saved before or if any changes were made)
- Once the .CSR file has been uploaded to a 3rd-party CA, the SSL certificate that's generated will need to be copied to this location. Simply drag and drop the SSL certificate received from the vendor into the Certificate Files box, and click OK to complete the process (Figure G).
Once the import process has been completed, any services that rely on communications and/or that might be accessed from the internet will be encrypted, allowing end users to view the certificate to ensure the server(s) are protecting their data each way.
There are many SSL certificate sellers and resellers. A simple Google search will yield results from at least two-dozen possible vendors. Just make sure to do your homework and read their terms, policies, and legal rights. SSL certificates essentially perform the same function, yet not all SSL certs are created equal. Reading about what each service safeguards against (and what it doesn't protect) is almost as crucial as encrypting your client's communications in the first place.
Do you experience adding SSL certificates to OS X Server? Share your knowledge, plus any tips and tricks you may have to make the process easier, in the discussion thread below.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 15 years of experience and multiple certifications from several vendors, including Apple and CompTIA.