Apple OS X 10.7 Lion Server includes Profile Manager, a server-based solution for remote management of iOS devices and Mac computers. We are exploring this option as a potential tool for apps catalog and deployment on iOS devices. Profile Manager requires Apple push certificate as well as trusted SSL certificate (either self-signed or from certificate authority). This document explains the steps involved in creating the code signing request (CSR) and implement SSL certificate in 10.7 Server using Apple available tools rather than using the OpenSSL method. Hopefully this document will streamline your implementation.
- OS X 10.7 Lion Server
- SSL certificate from certificate authority (CA). We chose DigiCert because we can manage all our certificates from a web interface.
Overview of the procedure:
- Create self-signed certificate in Server.app
- Generate a CSR request and request SSL certificate from the certificate authority
- Import the SSL certificate into your server
- Import the Intermediate certificate into Keychain
- Assign the certificate to desired services
Detailed procedure: Create self-signed certificate and CSR request in Server.app
Launch Server.app and select the hostname of your server under the Hardware list. Select Settings. Click Edit button next to SSL Certificate field. Within the "SSL Certificates" window, you may have certificates already assigned to services similar like the screenshot. Our previous self-signed certificate does not contain all the required information so DigiCert technician advised that we removed it and re-create the certificate with customized information. Your mileage may vary here. Select Manage Certificates... from the drop-down menu when click on the "wheel" setting icon. Next, select Create a Certificate Identity... by clicking on the "+" sign. At this step, you create self-signed certificate so leave the default settings intact and fill in specific information regarding your server and your organization. Just remember to specific the key size at 2048 bits.
You are returned back to Manage Certificates window after the self-signed certificate is created. Select Generate Certificate Signing Request (CSR)... from the drop-down menu when click on the "wheel" setting icon. Save the text file and upload it to your certificate signing authority.
Detailed procedure: Import SSL certificate and Intermediate certificate in your Keychain
Depend on your certificate authority, you usually receive two certificates and instruction immediately or within a couple hours. Also consult your CA documentation on the certificates' names because each certificate authorities labels the certificates differently. Back in the Manage Certificates window in Server.app, select the "wheel" setting icon. This time select Replace Certificate With Signed Or Renewed Certificate... Drag and drop your server certificate file matching your private key into the window.
The previous step imports and replaces the self-signed certificate with a trusted SSL certificate; however, the server relies on Keychain to validate requests so our next step is to validate the certificate as trusted and valid. To add the intermediary certificate to your server, double-click the intermediate certificate file. It should change the status (in red letters) "This certificate was signed by an unknown authority" to "This certificate is valid" in green letters in Keychain Access.
Detailed procedure: assign the SSL certificate to the desired services
This is it! We need to assign the SSL certificate to the desired services and restart the server. In our case, we implement SSL certificate as part of the Profile Manager setup so we will associate the SSL certificate with web service. Back to SSL Certificates window in Server.app, change the web service to use the SSL certificate. As always, restart your server to ensure everything is fresh and double-check the certificate validation in Keychain and its association with the web service before proceed further.
Part 2: Configure Profile Manager in OS X 10.7 Lion Server is available here