Pages

Categories

Archives

Jan
01

Importing Security Certificates into the Mac OS X Certificate Store

By Q

The release of SBS 2003 gave us a much-needed feature – SSL Security Certificates at no additional cost. Well, no monetary cost, anyway. These certificates are self-signed. So while the certificate will enable SSL communications on the SBS server (for Outlook Web Access, Remote Web Workplace, and other services) it is not specifically a trusted certificate. In the Windows world, this is not much of a problem. When you connect to a site using a self-signed certificate, you are presented with a warning indicating that the certificate is not valid, specifically pointing out that it is signed by a non-trusted authority. To get past this, you click Yes and go on.

Not surprisingly, this is a little different in the Macintosh world.

Using Microsoft Internet Explorer on the Mac to connect to these same sites results in a hard block. IE generates an error, not a warning, and refuses to continue access to the site. However, Microsoft has discontinued production on IE for the Mac.

Fortunately, there are workarounds. Unfortunately, none of them involve IE for the Mac.

People using Netscape 4.x or 7.x for the Mac are prompted with a similar warning when accessing these sites. Netscape gives you the option to add the security certificate to its own certificate store. This works very well for Netscape, but there are also times when access to one of these sites takes place outside the context of the web browser.

Mac OS X has its own internal certificate store. This store is used by the Safari web browser and other services in Mac OS X. It is also used by Entourage 2004 to connect to an Exchange server. You can import these self-signed certificates into the OS store as a trusted certificate, and that will allow Safari and other tools that look to the OS store for certificates to communicate securely with the server without generating warnings or errors.

There are two parts to this process. The first is exporting the certificate from the server, the second is importing the certificate into the Mac OS store.

Follow these steps to export the OWA certificate from the server:

  1. Open Internet Information Services (IIS) Manager.

  2. Expand the server and then expand Web Sites.
  3. Right-click Default Web Site, and then click Properties.
  4. Select the Directory Security tab, and then click View Certificate.
  5. Select the Details tab, and then click Copy to File.
  6. In the Certificate Export Wizard, click Next.
  7. On the Export Private Key window, select No, do not export the private key, and then click Next.
  8. On the Export File Format window, select DER encoded binary X.509 (.CER), and then click Next.
  9. On the File to Export window, enter a file name, and then click Next.
  10. Click Finish to complete the wizard.

After you export the OWA certificate and copy the certificate file to the Mac OS X computer, you can add the certificate as a trusted certificate using either the UNIX interface on the Macintosh or a third-party utility, such as the freeware program CerttoolGUI 0.1. This utility is available at either of the following Web sites:

http://macupdate.com/info.php/id/10947
http://www.versiontracker.com/dyn/moreinfo/mac/18496

Follow these steps to add the certificate using CerttoolGUI 0.1:

  1. Rename the certificate file to have a .DER extension instead of .CER, and then copy the file to the root of the Macintosh hard disk drive.

  2. Start CerttoolGUI.
  3. Click Add certificate. The certificate will show in the CerttoolGUI certificate list.
  4. Select the certificate, and then click Import certificates. The certificate state will show as added.
  5. Close CerttoolGUI. Safari will no longer warn about the certificate.

Follow these steps to add the certificate using the UNIX interface on Mac OS X:

  1. Copy the certificate file to the root of the Macintosh hard disk drive. Do not rename the file.

  2. Start the Terminal program. To do this, click Macintosh HD, click Applications, click Utilities, and then click Terminal.
  3. Type “cd /” and then press Enter.
  4. Type “sudo certtool i certname.cer d k=/System/Library/Keychains/X509Anchors” (without the quotes) and then press Enter, where “certname.cer” is the name of the certificate file.
  5. When prompted, enter the password for the local Macintosh account.
  6. To verify the certificate was added correctly, type “sudo certtool y k=/System/Library/Keychains/X509Anchors | grep yourdomain” (without the quotes) and then press Enter, where “yourdomain” is the SBS 2003 domain. If the certificate was added correctly, you will see two or more lines starting with Common Name that display the name of the server.
Categories : How To, Mac

search

recent posts

meta