Mac OSX Server - SSL Cert Install Step-By-Step
Posted: Sun Oct 28, 2012 5:12 pm
So, after working on this for over a week, I thought I'd commit this to paper, for anyone in similar situation.
This guide is designed for people who are running Mac OSX Server, whether it be Snow Leopard Server, Lion Server, Mountain Lion Server, etc. Instructions should be the same for all of them, though it should be noted that I performed this on Mountain Lion servers, specifically running 10.8.2 with Server 2.1.1. Again, it should not matter. These instructions do however differ from spookybathtub's excellent tutorial here http://forum.subsonic.org/forum/viewtopic.php?f=6&t=9400, in that his was written for folks running basic Mac OSX, not for those of us who run Server and already have pre-existing certs in the cert store on the box. There are real differences, some of which make our process easier and some of which make it more finicky - the point is, it's different on Server, and so I am laying out a process here for folks who have OSX Server up and running already, and now want to deploy Subsonic using SSL-based access. Okay then...
System Requirements for this process to work as written:
1. Intel-based Mac running Leopard Server, Snow Leopard Server, Lion Server, or Mountain Lion Server.
2. An installed and working SSL certificate (and any applicable intermediate certs to complete the cert chain) within Server Admin. ****BTW, If you don't know how to load a real cert into Mac OSX Server, there are plenty of Apple docs explaining how to do it. This is not the focus of this tutorial****. The cert itself is assumed to NOT be a self-signed cert, but actually a purchased root CA-signed certificate. [Important note: the cert needs to be enabled in Server Admin as the cert for the box, though the OSX Server services themselves do not necessarily need to be enabled yet or running. For example, I performed this in one case with nothing but the DNS service running on 10.8.2 OSX Server - but the point is I had my RapidSSL cert (and applicable intermediate cert chain) installed in OSX Server per the usual Apple method for this *prior* to embarking on this exercise.]
3. It is assumed that you already have a basic Subsonic install in place.
4. It is assumed that you have already modified the Info.plist file to assign an HTTPS port. As you may know, access to 4040 for plain HTTP can be left enabled, as Subsonic will automatically URL redirect to the HTTPS port for all connections on the assigned HTTP port.
5. Lastly, I assume you are smart enough to know that Subsonic should now be shutdown completely, as in, not running, while we perform the surgery below.
So, with the above background, let's get started:
As you may or may not know, when you install OSX Server onto a Mac, one of the things it does is create a directory in /private/etc, the directory is /certificates. So let's go there...
Let's take a look at what's there...
As you can see, I am using a wildcard SSL cert, but the process is no different for a more typical host-name based cert ie, for the specific hostname 'server.mydomain.com'. I just happen to use wildcard certs for most everything I do and they work perfectly. Obviously, you can save a few bucks by getting a cert tied to a specific FQDN, but that's totally up to you. Okay then...
So what is this mess up above in /private/etc/certificates??? It is none other than your individual cert file, the full chain including any/all intermediate and root certs required, the chain by itself without the host cert, and lastly, the private key, all in .pem format. Again, this construct is created for us automatically by OSX Server when we loaded our real certs and chains in the Server Admin GUI in the first place, nothing you have to do manually to place these files there on the command line.
So, seeing that these files are exactly as expected, sitting quietly in /private/etc/certificates, let's make magic happen:
First step is to create a PKCS12 formatted file that marries the *.chain.pem file to the private key...
You will be prompted for the pass phrase for the private key. Keep in mind that when you installed your cert in OSX Server, the OS encrypts the private key file, using a one-time random pass phrase (not one that you ever chose yourself!). In case you don't know this, you can scrape the pass phrase out of the Keychain, by going into Keychain-->System-->Passwords, and choosing the password file related to "certificate management". If you either sudo when you run Keychain, or authenticate with a server admin's password when prompted, you will be provided an option to "Show Password" in the Keychain GUI. Copy that to the clipboard, because it is critical to this process!
Okay then, paste that big long ugly lookin' pass phrase into the command line when prompted. Once done, you will get the next prompt to:
Enter Export Password:
...the Export Password *must not be left blank*, and more importantly, must be "subsonic" without the quotes. Hit enter. You will then be prompted for:
Verifying - Export Password:
...type "subsonic" again and hit enter. Okay, at this point, you should now have your new .pkcs12 cert file in /private/etc/certificates. As you probably guessed, it's called cert-chain.pkcs12. Let's check it out:
Okay then, from within this same directory, it's time to use keytool to create a nice little keystore that Subsonic's jetty server will accept:
It prompts you to Enter Destination keystore password: [again, must be "subsonic" without the quotes]
Re-enter password: [you guessed it, "subsonic" again without the quotes]
Then you will see a prompt for Enter Source keystore password: [must be the one we used above, which by now you know is "subsonic" without the quotes]
If you did this right, you will get the following:
If it makes you feel better, do another ls -la in this directory, and you should see the new file subsonic.keystore. Right. Now, we need to shove that beautiful little keystore into Subsonic the way the good lord intended. This is the last step kids, hold on tight:
If you are simply returned to the command prompt, with no errors, you have VICTORY!
Start up Subsonic, and open your Subsonic webpage, and you'll notice that HTTPS is working on your assigned HTTPS port with NO CERTIFICATE ERRORS!!!! Try several browsers just to be sure (Safari in particular, and now IE 9, make it real nice to follow the cert chain and see that each cert in the chain is valid and installed properly). Enjoy your secure Subsonic web instance!
Cheers,
-ManWithAPlan
This guide is designed for people who are running Mac OSX Server, whether it be Snow Leopard Server, Lion Server, Mountain Lion Server, etc. Instructions should be the same for all of them, though it should be noted that I performed this on Mountain Lion servers, specifically running 10.8.2 with Server 2.1.1. Again, it should not matter. These instructions do however differ from spookybathtub's excellent tutorial here http://forum.subsonic.org/forum/viewtopic.php?f=6&t=9400, in that his was written for folks running basic Mac OSX, not for those of us who run Server and already have pre-existing certs in the cert store on the box. There are real differences, some of which make our process easier and some of which make it more finicky - the point is, it's different on Server, and so I am laying out a process here for folks who have OSX Server up and running already, and now want to deploy Subsonic using SSL-based access. Okay then...
System Requirements for this process to work as written:
1. Intel-based Mac running Leopard Server, Snow Leopard Server, Lion Server, or Mountain Lion Server.
2. An installed and working SSL certificate (and any applicable intermediate certs to complete the cert chain) within Server Admin. ****BTW, If you don't know how to load a real cert into Mac OSX Server, there are plenty of Apple docs explaining how to do it. This is not the focus of this tutorial****. The cert itself is assumed to NOT be a self-signed cert, but actually a purchased root CA-signed certificate. [Important note: the cert needs to be enabled in Server Admin as the cert for the box, though the OSX Server services themselves do not necessarily need to be enabled yet or running. For example, I performed this in one case with nothing but the DNS service running on 10.8.2 OSX Server - but the point is I had my RapidSSL cert (and applicable intermediate cert chain) installed in OSX Server per the usual Apple method for this *prior* to embarking on this exercise.]
3. It is assumed that you already have a basic Subsonic install in place.
4. It is assumed that you have already modified the Info.plist file to assign an HTTPS port. As you may know, access to 4040 for plain HTTP can be left enabled, as Subsonic will automatically URL redirect to the HTTPS port for all connections on the assigned HTTP port.
5. Lastly, I assume you are smart enough to know that Subsonic should now be shutdown completely, as in, not running, while we perform the surgery below.
So, with the above background, let's get started:
As you may or may not know, when you install OSX Server onto a Mac, one of the things it does is create a directory in /private/etc, the directory is /certificates. So let's go there...
- Code: Select all
cd /private/etc/certificates/
Let's take a look at what's there...
- Code: Select all
server:certificates admin$ ls -la
total 40
-rw-r--r-- 1 root wheel 1769 Oct 21 03:29 *.mydomain.com.7AC747142D7508EF899610497D140E1DB0A8ECA4.cert.pem
-rw-r--r-- 1 root wheel 5572 Oct 21 03:29 *.mydomain.com.7AC747142D7508EF899610497D140E1DB0A8ECA4.chain.pem
-rw-r----- 1 root certusers 3512 Oct 21 03:29 *.mydomain.com.7AC747142D7508EF899610497D140E1DB0A8ECA4.concat.pem
-rw-r----- 1 root certusers 1743 Oct 21 03:29 *.mydomain.com.7AC747142D7508EF899610497D140E1DB0A8ECA4.key.pem
drwxr-xr-x 6 root wheel 204 Oct 21 03:29 .
drwxr-xr-x 140 root wheel 4760 Oct 21 14:03 ..
As you can see, I am using a wildcard SSL cert, but the process is no different for a more typical host-name based cert ie, for the specific hostname 'server.mydomain.com'. I just happen to use wildcard certs for most everything I do and they work perfectly. Obviously, you can save a few bucks by getting a cert tied to a specific FQDN, but that's totally up to you. Okay then...
So what is this mess up above in /private/etc/certificates??? It is none other than your individual cert file, the full chain including any/all intermediate and root certs required, the chain by itself without the host cert, and lastly, the private key, all in .pem format. Again, this construct is created for us automatically by OSX Server when we loaded our real certs and chains in the Server Admin GUI in the first place, nothing you have to do manually to place these files there on the command line.
So, seeing that these files are exactly as expected, sitting quietly in /private/etc/certificates, let's make magic happen:
First step is to create a PKCS12 formatted file that marries the *.chain.pem file to the private key...
- Code: Select all
openssl pkcs12 -export -inkey \*.mydomain.com.7AC747142D7508EF899610497D140E1DB0A8ECA4.key.pem -in \*.mydomain.com.7AC747142D7508EF899610497D140E1DB0A8ECA4.chain.pem -out cert-chain.pkcs12
You will be prompted for the pass phrase for the private key. Keep in mind that when you installed your cert in OSX Server, the OS encrypts the private key file, using a one-time random pass phrase (not one that you ever chose yourself!). In case you don't know this, you can scrape the pass phrase out of the Keychain, by going into Keychain-->System-->Passwords, and choosing the password file related to "certificate management". If you either sudo when you run Keychain, or authenticate with a server admin's password when prompted, you will be provided an option to "Show Password" in the Keychain GUI. Copy that to the clipboard, because it is critical to this process!
Okay then, paste that big long ugly lookin' pass phrase into the command line when prompted. Once done, you will get the next prompt to:
Enter Export Password:
...the Export Password *must not be left blank*, and more importantly, must be "subsonic" without the quotes. Hit enter. You will then be prompted for:
Verifying - Export Password:
...type "subsonic" again and hit enter. Okay, at this point, you should now have your new .pkcs12 cert file in /private/etc/certificates. As you probably guessed, it's called cert-chain.pkcs12. Let's check it out:
- Code: Select all
server:certificates admin$ ls -la
total 472
-rw-r--r-- 1 root wheel 1769 Oct 21 03:29 *.mydomain.com.7AC747142D7508EF899610497D140E1DB0A8ECA4.cert.pem
-rw-r--r-- 1 root wheel 5572 Oct 21 03:29 *.mydomain.com.7AC747142D7508EF899610497D140E1DB0A8ECA4.chain.pem
-rw-r----- 1 root certusers 3512 Oct 21 03:29 *.mydomain.com.7AC747142D7508EF899610497D140E1DB0A8ECA4.concat.pem
-rw-r----- 1 root certusers 1743 Oct 21 03:29 *.mydomain.com.7AC747142D7508EF899610497D140E1DB0A8ECA4.key.pem
-rw-r--r-- 1 root wheel 5685 Oct 27 23:10 cert-chain.pkcs12
drwxr-xr-x 2 root wheel 1904 Oct 28 00:07 .
drwxr-xr-x 24 root wheel 3808 Oct 28 00:05 ..
Okay then, from within this same directory, it's time to use keytool to create a nice little keystore that Subsonic's jetty server will accept:
- Code: Select all
keytool -importkeystore -srckeystore cert-chain.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic.keystore
It prompts you to Enter Destination keystore password: [again, must be "subsonic" without the quotes]
Re-enter password: [you guessed it, "subsonic" again without the quotes]
Then you will see a prompt for Enter Source keystore password: [must be the one we used above, which by now you know is "subsonic" without the quotes]
If you did this right, you will get the following:
- Code: Select all
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
If it makes you feel better, do another ls -la in this directory, and you should see the new file subsonic.keystore. Right. Now, we need to shove that beautiful little keystore into Subsonic the way the good lord intended. This is the last step kids, hold on tight:
- Code: Select all
jar uf /Applications/Subsonic.app/Contents/Resources/Java/subsonic-booter-jar-with-dependencies.jar subsonic.keystore
If you are simply returned to the command prompt, with no errors, you have VICTORY!
Start up Subsonic, and open your Subsonic webpage, and you'll notice that HTTPS is working on your assigned HTTPS port with NO CERTIFICATE ERRORS!!!! Try several browsers just to be sure (Safari in particular, and now IE 9, make it real nice to follow the cert chain and see that each cert in the chain is valid and installed properly). Enjoy your secure Subsonic web instance!
Cheers,
-ManWithAPlan