finally too cool for tumblr.
did you mean: past, present, updates, wednesday lite, strava, or results: usac, obra.

<< March 24, 2007 >>
a retarded monkey's guide to effortlessly running your own CA with apple keychain

i hate x509 certs so much, it is no secret.

when my email was down last night, i decided to take advantage of the opportunity and finally migrate my home email/dns/dhcp server from my ppc mac mini to a core duo one. the install went cleanly, of course, and installing darwin ports went well. i was delighted to find that they added launchd scripts for the three daemons since the last time i updated things.

i copied all of the data over from the old machine, got dns and dhcp going quickly, but Mail.app complained that the imap server's cert didn't specify a CA. i could not find where the CA cert was installed on the old machine, and since the cert was for the wrong hostname i figured i'd start from scratch.

so, open keychain access, and go to File -> New Keychain... to create a new keychain for your CA. if you are clever, you will use a different password for this one, and then forget it, and have to do this again. then, fire up the awesomeness with Keychain Access -> Certificate Assistant. if iTunes is the best windows app ever, then perhaps Certificate Assistant is the best app on os x.

first, Create a Certificate Authority (CA). this cert will be self-signed. i recommend using a special email alias here - such as ca@example.com, which will be detailed later. for the Common Name, i use the name of the CA (not my name). make sure you make the cert valid for like, a thousand years, otherwise things will break and you will be sad (how's it going, shaver?).

i used all of the default settings for the rest here, although perhaps i wanted to disable the signature capability. make sure you save it in your CA keychain! this is just to make your life more simple. you'll be prompted for your keychain password.

you'll want to accept certs issued by your CA, so drag your CA cert from keychain access to your desktop. then, double click on the CA.cer file, and add it to the X509Anchors keychain. i had to restart keychain for it to now think that my CA cert was valid.

now it's time to make a cert for your service. run Certificate Assistant again, and this time create a certificate for yourself. you do not want to self-sign this one, and again use an email address you don't normally use, perhaps a root@ or admin@ one. the Common Name should be the hostname for your service (for example mail.87k.net). after clicking continue, you should choose the CA cert from your CA keychain for your issuer. again, i used all of the defaults and saved it in my CA keychain.

now to get your cert out of keychain so you can install it on your machine. first, select your new service cert and File -> Export... it as a .pem. note that if you want to use the hostname as the file name, be sure to include the extension in this dialog, otherwise it will drop the last bit (.net). do the same for your CA cert.

here it gets just a little tricky. since we've been using apple software, there's of course one small thing it won't let you do. in this case, it's exporting your private key in pem format. (un)fortunately, the openssl "tool" can help us out here, dispite its best efforts.

File -> Export... your new cert's private key as a .p12 file. you don't need to specify a password for the key, but you can if you want. then, open up Terminal and run the following commands:

$ openssl pkcs12 -in hostprivkey.p12 -out hostprivkey.pem Enter Import Password: (the password you used above, or just hit enter) MAC verified OK Enter PEM pass phrase: (your favourite four-letter word here) Verifying - Enter PEM pass phrase: (repeat above phrase) $ openssl rsa -in hostprivkey.pem >> hostcert.pem Enter pass phrase for hostprivkey.pem: (type your pass phrase) writing RSA key $ cat CA.pem >> hostcert.pem $ rm CA.pem hostprivkey.p12 hostprivkey.pem

your host cert is now ready for deployment! i'll leave installing the cert on your machine for you to figure out, but including the CA cert at the end there is nice because then it's easy for people to add your CA to their trusted CA list. you can use the command openssl s_client -connect imap:imaps to check that things are all set up correctly.

btw if you get a cert signed by a CA that you don't (yet) trust, Mail.app won't let you see the CA cert. since safari does, you can use it to install the CA cert. go to https://mail.87k.net:993/ and view certificate; look at the CA cert and drag it off and install it as above. don't get me started.

now to explain the little mystery: the reason i advised against using your real email address for the certs above is that Mail.app actually has built-in s/mime support. using Certificate Assistant again, you can create a cert using your email address and your name for the common name. then, if you compose an email from that address, Mail.app will add some new ui elements for signing and encrypting your mail:

i didn't know these were here

to be able to encrypt mail, you'll need to add their cert to your keychain. there's no link between keychain and addressbook here, which is where i first looked for how to add their certs.

if i don't need to recreate my CA/user certs, i'll link to them here so that all of my friends can start sending me encrypted mail (it's 2007, remember?). not for legal reasons, of course:

Sure, you can have a file that is strongly encrypted. And then an officer of the court will order you to type your pass-phrase to unlock it. And either you do so, or you go to jail.

-- jwz

all in all, this was orders of magnitude easier than i remember strictly using the openssl tool being. hopefully having this page here forever will this process even less painful the next time i need to do it.

posted by jacob around March 24, 2007

* * *
powered by boc blog pro: cload edition