By Vincent Danen
March 8, 2010, 11:04 AM PST
Takeaway: Vincent Danen explains how to use the Certificate Assistant that comes with Mac OS X to create your own CA with the help of the OS X Keychain Assistant.
Vincent Danen explains how to use the Certificate Assistant that comes with Mac OS X to create your own CA with the help of the OS X Keychain Assistant.
—————————————————————————————-
If you want to have SSL-based services in your internal organization or on your LAN, however, creating your own CA can be difficult to do or manage if you have never done it before. There are tools now to make it easier than it used to be: the OS X Keychain Assistant is one of these tools.
To begin, launch the OS X Keychain Assistant application. When opened, select Keychain Assistant from the menu bar, then select Certificate Assistant. From the next sub-menu that opens, select Create A Certificate Authority. This will open the Certificate Assistant and walk you through the steps to create your own Certificate Authority with which you can then sign SSL certificates.
Give your CA a name, and use Self Signed Root CA for the identity type. For User Certificate, leave the default as-is (S/MIME Email; this will get changed later). On the next page, change the validity period if you wish (default is one year), and select Create A CA Web Site. Next, fill in information used to create the certificate: City, State, Country, and so forth. The next screens detail key size and encryption type; leaving this at 2048-bit RSA is fine. Finally, on the Key Usage Extension pane, ensure that Signature, Certificate Signing, and CRL Signing are checked.
When you reach the Extended Key Usage Extension page, make sure Any is selected if you want this CA to be able to sign all types of SSL certificates. If it is only to sign specific types of SSL certificates (i.e., SSL clients only), then ensure that only those capabilities you want are checked. On the next page, you get to select the requested capabilities from users - also check Any here so that the CA may sign any type of requests. Finally, on the next page, make sure the settings Include Basic Constraints Extension and Use This Certificate as a certificate authority are both enabled.
There are other pages of the process that were not mentioned; it is safe to leave those at their defaults. The last pane will be asking where you want to store the location of the certificate and whether to trust certificates signed by this CA on the local machine. Select a keychain (system, login, or another you create specifically to handle the CA and its requests), and enable the trust check.
Now that the CA is created, you can now create certificates and signing requests using the Certificate Assistant as well. To quickly create a certificate for a Web site, click Create A Certificate in the Keychain Assistant pull-down menu. For the name, use the name of the Web site, and for the identity type, select Leaf. For the certificate type, select SSL Client. When asked to choose a CA issuer, select the CA you just created.
The key and certificate will be saved to the keychain you chose earlier and will be created with a default one-year expiry. Looking in the Keychain Assistant, you will see the certificate, and the RSA private key associated with it. Right-click on the private key, and you will see the option Request A Certificate From Certificate Authority; if you select this option, you will again open Certificate Assistant and will then be able to create a certificate request (Figure A). In the open window, use the Common Name field for the URL of the service (i.e., to create a SSL certificate for foo.test.com, use foo.test.com as the CN, or an email address for a S/MIME email certificate, etc.) and then save the request to disk.
Figure A
0 comments:
Post a Comment