Ssl ������ mac os

Use an SSL certificate in macOS Server

The server can use an SSL certificate to identify itself electronically and communicate securely with users’ computers and other servers on the local network and the Internet.

You can use the self-signed certificate created for your server when you set it up, or a self-signed certificate you created. However, users’ apps won’t trust self-signed certificates and will display a messages asking if the user trusts your certificate. Using a signed certificate relieves users from the uncertainty and tedium of manually accepting your certificate in these messages. A man-in-the-middle spoofing attack is possible with a self-signed certificate.

Select Certificates in the Server app sidebar.

To use one certificate for all services, choose a certificate from the “Secure services using” pop-up menu.

To use different certificates for each service, choose Custom from the “Secure services using” pop-up menu, then choose an available certificate for each service.

If the pop-up menu doesn’t contain certificates, create a self-signed certificate. For instructions, see Create a self-signed certificate in macOS Server.

To use a previously generated SSL certificate, import it.

To disable secure connections, choose None.

Источник

Generate and import a Self-Signed SSL certificate on Mac OS X Sierra

Step 1: Verify that you have openssl installed.

If not, install openssl using:

If you are using Microsoft(r) Windows, checkout http://gnuwin32.sourceforge.net/packages/openssl.htm for details about the openssl package on Windows.

If you using Linux, you can use the default package manager to get the openssl package installed on your box. For example:

Step 2: Create a RSA private key.

server.key is a PEM RSA private key. To know more about what is a PEM file and it’s significance, read What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? at serverfault.com.

Step 3: Create the Certificate Signing Request (CSR) utilizing the RSA private key we generated in the last step.

The ‘challenge password’ is used by the Certificate Authority (CA) to authenticate the certificate owner when they have to revoke the certificate. There is no way to revoke a Self-Signed Certificate via Certificate Revocation List (CRL) (refer: https://devcenter.heroku.com/articles/ssl-certificate-self#generate-private-key-and-certificate-signing-request]

As a result of executing the above command, you will find a file named server.csr (‘csr’ stands for Certificate Signing Request) in the same directory.

Step 4: Generate a file named, v3.ext with the below listed contents:

This step is required because when you load the certificate in the Chrome browser, it would display an error portrayed in the below screenshot.

Setting the DNS.1 value in v3.ext file to be same as the Common Name that you mentioned while generating the certificate signing request would resolve the error. Refer https://stackoverflow.com/questions/43665243/chrome-invalid-self-signed-ssl-cert-subject-alternative-name-missing for more details about the subject alternate name missing error and the solution.

1. Create the SSL Certificate utilizing the CSR created in the last step.

The above command will use the Certificate Signing Request and the RSA Private Key that we generated as part of executing the previous steps and generate a Certificate file named, server.crt (‘crt’ is an abbreviation of ‘Certificate’) and place it in the same directory.

Step 5: Import the newly generated certificate in your Keychain (Mac OSX only).

Since this is a self-signed certificate, the browser would display a warning mentioning that the certificate is self-signed and the website should not be trusted as portrayed in the below-listed screenshot captured on the Chrome browser.

Click the Advanced hyperlink at the bottom of the warning page and click Proceed to hyperlink.

The browser will allow you to proceed and open the homepage but will mark the site as Not-Secure as portrayed in the image below.

To avoid this accepting the self-signed certificate everytime you restart chrome or restart your web server, follow the steps outlined at Google Chrome, Mac OS X and Self-Signed SSL Certificates to add the certificate to your Mac OSX Keychain. Restart Chrome.

Other platforms like Microsoft(r) Windows and Linux have similar techniques to import a certificate into a browser. A quick Google(r) search should be able to provide you with the exact steps based on the browser that you use.

Now Chrome should happily display the green ‘Secure’ icon against the URL when you navigate to your locally deployed website. Also, the Security tab within the Developer Tools should list the site as ‘Secure’ as portrayed in the screenshot below.

Источник

Установка SSL сертификата на сервера IBM

Инсталяция сертификата SSL в Mac OS X Server 10.5

Как только ваш SSL-сертификат подписан и выпущен, мы отправим вам сообщение электронной почты, которое позволит вам загрузить подписанный сертификат и наш промежуточный комплект сертификатов, оба из которых должны быть установлены на вашем веб-сайте.

Перед установкой сертификата вам необходимо выполнить следующую процедуру для установки промежуточного сертификата CA:

1. Посетите репозиторий.
2. Загрузите файл промежуточного сертификата.
3. Запустите приложение Keychain Access /Applications/Utilities/Keychain Access
4. Если кнопка в левом нижнем углу окна «Доступ к цепочке ключей» обозначена «Показать брелки», нажмите кнопку, чтобы отобразить список связок ключей.
5. Выберите брелок «Система».
6. Выберите «Файл-> Импорт». Перейдите в и выберите файл промежуточного сертификата, который вы загрузили на шаге 2 выше.
7. Введите пароль при появлении запроса на аутентификацию, чтобы изменить цепочку ключей.
8. Убедитесь, что в списке отображается «Защищенный центр сертификации».
9. Закройте приложение Access Keychain Access.

Используйте следующую процедуру для установки сертификата сервера в вашу систему:

1. Запустите средство администрирования сервера и подключитесь к серверу, на котором вы хотите установить сертификат.
2. Выделите узел сервера в списке SERVERS.
3. Выберите кнопку «Сертификаты» на панели инструментов в верхней части правой панели:
4. Выберите элемент, представляющий запрошенный сертификат. Нажмите кнопку «Gear», а затем выберите «Добавить подписанный или обновленный сертификат из центра сертификации» .
5. Вставьте текст своего сертификата в поле. Обязательно включите строки заголовка и нижнего колонтитула «—— BEGIN CERTIFICATE ——» и «—— END CERTIFICATE ——». Нажмите «ОК».
6. Нажмите кнопку «Сохранить».
7. Назначьте сертификат своим услугам

После установки вашего сертификата, а также промежуточного сертификата CA вы можете назначить этот сертификат желаемым услугам (Web, Mail, iChat, Open Directory и т. Д.). В соответствующей области настроек для требуемой службы выберите сертификат, который вы только что установили, и нажмите кнопку «Сохранить».

Инсталяция сертификата SSL в Mac OS X Server 10.6

Необходимо установить два отдельных сертификата — промежуточный сертификат и сертификат сервера.

1. Скопируйте файлы сертификатов на ваш сервер.
2. Запустите приложение Keychain Access (/Applications/Utilities/Keychain Access).
3. Если кнопка в левом нижнем углу окна «Доступ к цепочке ключей» обозначена «Показать брелки», нажмите кнопку, чтобы отобразить список связок ключей.
4. Выберите системную цепочку ключей.
5. Нажмите на значок замка в левом верхнем углу, чтобы разблокировать системный брелок. Аутентификация в качестве пользователя с правами администратора при запросе.
6. Выберите «Файл-> Импорт». Перейдите к промежуточному сертификату, который вы скопировали на свой сервер, и выберите его.
7. Убедитесь, что в списке отображается «Защищенный центр сертификации».
8. Закройте приложение Access Keychain Access.
9. Запустите средство администрирования сервера и подключитесь к серверу, на котором вы хотите установить сертификат.
10. На панели «Серверы» выберите сервер, на котором вы хотите установить сертификат SSL.
11. Выберите «Сертификаты» на панели инструментов вверху правой панели.
12. Выберите элемент, представляющий запрошенный сертификат. Нажмите кнопку «Gear», а затем выберите «Добавить подписанный или обновленный сертификат из центра сертификации» .
13. Перетащите файл, содержащий сертификат сервера, на синий значок сертификата, который отображается после предыдущего шага. Обязательно перетащите файл с сертификатом сервера. НЕ используйте файл, содержащий промежуточный сертификат.
14. Нажмите «Заменить сертификат».
15. Назначьте сертификат своим услугам

После установки вашего сертификата, а также промежуточного сертификата CA вы можете назначить этот сертификат желаемым услугам (Web, Mail, iChat, Open Directory и т. Д.). В соответствующей области настроек для требуемой службы выберите сертификат, который вы только что установили, и нажмите кнопку «Сохранить».

Источник

Installing OpenSSL library on macOS Catalina

Yaşar Yücel Yeşilbağ

Sep 18, 2020 · 4 min read

Whether you are building apps for just macOS or for cross-platform, if your app is using OpenSSL for crypto-works, you will have to install OpenSSL library since macOS ships with LibreSSL. Furthermore, cross-platform cryptography in .Net Core and .Net 5 uses OpenSSL on macOS.

Installing OpenSSL library on macOS seems easy at first, but in practice can be a real pain in the back. Here is my journey of installing OpenSSL 1.1.1g on macOS Catalina (10.15.6) and making it reachable by my .Net Core apps. I tried to write complete and generalized instructions to be as applicable to more systems as possible. And I also avoided symbolic linking (ln -s) and install_name_tool, since for me those are last options.

Installing OpenSSL

First, open a terminal, and see if OpenSSL is already installed:

If it’s not installed, you’ll see “Not installed” among the first few lines of output. Or may be it’s not the latest version. So, install or update if necessary:

Check if the system sees the library directly:

This command prints the SSL library which exists first in the PATH environment variable, being LibreSSL or OpenSSL at some version. OpenSSL doesn’t need being here to be reachable. But if you want this for some reason, follow the instructions below, otherwise jump to the Making OpenSSL Reachable section.

Run the command “brew info openssl” again:

Since OpenSSL is keg-only [1], it has to be referred from an environment variable, which is done by the printed instruction, which is the echo ‘export… line in the red rectangle at above screenshot. It may be a bit different in your system, it’s because it depends on its version. Copy/paste/run that line, so that necessary command will be written to .profile file [2].

To see what is written to .profile file, if you wonder, run below command at home directory:

Manually run the .profile file to eliminate logoff & logon at this time:

Check if system sees it now:

It should now print the up-to-date OpenSSL.

Making OpenSSL Reachable

When an app wants to use a library, macOS searches several locations to find it. We have to find library path of OpenSSL and add it to DYLD_LIBRARY_PATH environment variable. For this purpose, run “brew info openssl” command again.

The path in the red rectangle at above screenshot is the path where OpenSSL is installed. To have the library path we’re looking for, just append /lib to it. We want this library path to be added to aforementioned environment variable at every user logon. And we’ll use below command for this, just replace the …/lib path with the one you have.

Manually run the .profile file [2] to eliminate logoff & logon at this time:

This should do the trick normally. But I’ve read that on some systems apps still cannot find OpenSSL library. So, try running your OpenSSL app. If the app gives an error like “No usable version of libssl was found. Abort trap: 6” or “PlatformNotSupportedException”, you may have to install or update libssh2. I didn’t need it but here it is:

Since libssh2 is not keg-only [1], it will be readily accessible without adding it to any environment variable.

That’s it! Now OpenSSL library should be reachable from any app. At least that’s the common hope 😊 This was not the funniest thing I did so far, but it was necessary. And I wrote it down here to be a reference for everyone.

I wish you installations funnier than this one 😁 Now I need some beer 🍺

Note [1]: For a software via brew to be “keg-only” means it is installed in /usr/local/Cellar but not linked into places like /usr/local/bin, /usr/local/lib. This means most tools will not find it.

Источник

SSL Certificates — OS X Mavericks

I am trying to connect to application on localhost which uses SSL. I am using Mac OS X Mavericks. The error I am getting is following:

I tried to add certificates to the chain:

Still getting the same error.

4 Answers 4

In some cases will be better to use standard curl (eg if you develop on Mac code for Linux or *BSD). In this case you can do like that:

Install curl with standard certificates support (no more Keychain certs).

brew install curl —with-openssl && brew link curl —force

Install root CA certs from http://curl.haxx.se/ca/cacert.pem into /usr/local/etc/openssl/certs/cacert.pem

After 4 steps you can use curl with certificates from file, not from Keychain.

—cacert and —cert are broken in OSX Mavericks.

The workaround is here: http://curl.haxx.se/mail/archive-2013-10/0036.html which indicates that you need to import the certificate as a trusted system cert:

Import the certificate into the system («System») or user («login») keychain using Keychain Access and mark it as always trusted for SSL and X.509 basic policy.

There are two things you can do:

(1) Convert the .pem certificate to .p12:

and use it with curl with the PASSWORD you pick when converting:

(2) Drag the .pem file into your keychain, open the infopane, set it to ‘always trust’ for SSL and X.509, and note the COMMON-NAME . (name of certificate)

Both work for me on OSX 10.9 with cURL 7.35.0

Источник