I've got a couple of Mac OS X 10.6.8 Server web servers that run a custom AMP255 (Apache 2.x, MySQL 5.x, and PHP 5.x) stack installed using MacPorts. We've got a lot of Mac OS X Server servers and generally install SSL certs via Server Admin and they "just work" in the built-in services, however, these web servers have always had SSL certs installed in a non-standard location and used only for Apache.
Long story short, we're trying to standardize this part of our administration and install certs via Server Admin, but have run into the following issue: when the certs are installed via Server Admin and referenced in our Apache conf files, Apache then prompts for a password upon trying to start. It does not seem to be any password we know, certainly not the admin or keychain passwords! We've added the _www user to the certusers (mainly just to ensure they have the proper access to the private key in /etc/certificates/).
So, with the custom installed certs we have the following files (basically just pasted in from the company we purchase our certs from):
-rw-r--r-- 1 root admin 1395 Apr 10 11:22 *.domain.tld.ca
-rw-r--r-- 1 root admin 1656 Apr 10 11:21 *.domain.tld.cert
-rw-r--r-- 1 root admin 1680 Apr 10 11:22 *.domain.tld.key
And the following in the VirtualHost in /opt/local/apache2/conf/extra/httpd-ssl.conf:
SSLCertificateFile /path/to/certs/*.domain.tld.cert
SSLCertificateKeyFile /path/to/certs/*.domain.tld.key
SSLCACertificateFile /path/to/certs/*.domain.tld.ca
This setup functions normally.
If we use the certs installed via Server Admin, which both Server Admin & Keychain Assistant show as valid, they're installed in /etc/certificates/ as follows:
-rw-r--r-- 1 root wheel 1655 Apr 9 13:44 *.domain.tld.SOMELONGHASH.cert.pem
-rw-r--r-- 1 root wheel 4266 Apr 9 13:44 *.domain.tld.SOMELONGHASH.chain.pem
-rw-r----- 1 root certusers 3406 Apr 9 13:44 *.domain.tld.SOMELONGHASH.concat.pem
-rw-r----- 1 root certusers 1751 Apr 9 13:44 *.domain.tld.SOMELONGHASH.key.pem
And if we replace the aforementioned lines in our httpd-ssl.conf with the following:
SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCertificateChainFile /etc/certificates/*.domain.tld.SOMELONGHASH.chain.pem
This prompts for the unknown password. I have also tried httpd-ssl.conf configured as follows:
SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCertificateChainFile /etc/certificates/*.domain.tld.SOMELONGHASH.concat.pem
And as:
SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCACertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.chain.pem
We've verified that the certificate is configured to allow all applications access it (in Keychain Assistant). A diff of the /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem & *.domain.tld.key files shows the former is encrypted and the latter is not, so we're assuming that Server Admin/Keychain Assistant is encrypting them for some reason.
I know I can create an unencrypted key file as follows:
sudo openssl rsa -in /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem -out /etc/certificates/*.domain.tld.SOMELONGHASH.key.no_password.pem
But, I can't do that without entering the password. I thought maybe I could export an unencrypted copy of the key from Keychain Admin, but I'm not seeing such an option (not to mention that the .pem options are greyed out in all export options).
Any assistance would be greatly appreciated.
Export the certificate as
.p12. Record the password that's used.Pull the public key out of the
.p12file - it will prompt for the password that was just set in the export.Check how many certificates are now in the output file; you can open it in any text editor - it may be just the subject certificate, or it may contain the whole chain (the certs in the
.cafile that your CA gave you). If it has the whole chain, that's fine - Apache will accept the whole thing in the same file with no problem. If not, then keep using the chain file they gave you.Then, let's pull the private key as well:
Note that the
-nodesflag instructs the command to not use encryption for the private key; this will prevent Apache from prompting for the password.Point Apache to these new files, and restart. Should be good to go!
As Shane hinted at in the comments, one can export the certificate as a PKCS#12 (
.p12) file from Keychain Access (with or without a password, naturally password protecting this step is more secure). To do so, you must first launch Keychain Access as the root user, sosudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access &. From there I was able to run the following commands to extract the private key from the exported.p12file without encryption and put it alongside the encrypted key in/etc/certificates/:So I now have the following files in
/etc/certificates/:I updated my
httpd-ssl.conffile to:Restarted Apache and it works perfectly.
I had glossed over this part of this in my initial question, but to ensure that the
_wwwuser is added to thecertusersgroup (which is required for Apache to read the private key since I preserved those permissions), I had used the following command: