How To Create Trusted X.509 Certificates On MacOS X

Creating trusted X.509 certificates

Learn How To Create Trusted X.509 Certificates on MacOS X from Microsoft ADCS

Creating trusted enterprise certificates on Apple’s MacOS X has never been easy, but it can be.

In the traditional process you have to create a private key, create a Certificate Signing Request (CSR), submit the CSR to a Certificate Authority (CA) such as Microsoft ADCS, retrieve the issued certificate, install it, and then remember to renew it before it expires.  Not easy.  There are lots of opportunities for human error and you have to be very disciplined.

Sure you can skip some of the steps by creating a self-signed certificate, but it won’t be trusted in your enterprise environment without each software component on each system being updated.  That only makes life harder and your environment less secure.

CertAccord© Enterprise solves this problem.  It makes creating and installing trusted enterprise certificates from Microsoft ADCS PKI easy by automating nearly all of the process.

We will examine two methods:

  • METHOD 1 – Traditional Certificate Creation using manual processes involving openssl, CSRs, and web pages
  • METHOD 2 – Using CertAccord Enterprise to fully automate the creation and future renewals of X.509 certificates

METHOD 1 – Traditional Certificate Creation

The traditional process of creating a trusted certificate on MacOS X is based on using the OpenSSL command line tool built into MacOS X.

STEP 1 – Install OpenSSL

To get started you need to see if you already have OpenSSL installed.  It’s typically provided by default.  To verify open a shell and run:

openssl version

If openssl is installed you will see the OpenSSL version information.  If it’s not installed, you’ll get an error like “Command not found”.

STEP 2 – Create Key Pair

The private and public key pair is needed to sign the CSR.  To create the key pair you need to decide upon a cryptographic algorithm (RSA is the most common) and the bit-size of the key.  In this example we will use create an RSA 4096 key (current best practice) and store it in the file my.key:

openssl genrsa -out my.key 4096

STEP 3 – Generate CSR

Now we will create the Certificate Signing Request (CSR):

openssl req -new -key my.key -out my.csr

This command will save the CSR to the my.csr file. You will be prompted to fill-in various fields:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme Inc
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.my.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

STEP 4 – Submit CSR To CA

Take the CSR file (my.csr) and submit it to your enterprise Certificate Authority. How you do this depends on the CA you have. If you have a Microsoft CA, then a user with administrator access to the Microsoft CA has to take the CSR and submit it using the CA Manager.

Once a certificate is created from the CSR you should then receive the certificate file and typically a CA trust file.

STEP 5 – Install Certificate

Copy the certificate file and CA trust file to your MacOS X system.  How you do this will depend on the CA product used and your internal process for certificate creation.

If the certificate is a web server certificate for Apache HTTPD, then you copy the certificate file, the certificate private key (my.key), and the CA trust file to the appropriate directories for your MacOS X / Apache configuration.

You then need to edit the appropriate Apache HTTPD configuration file to specify the certificate file, private key file, and CA trust file.

Key Takeaways

  1. Your must track when your certificate expires
  2. Prior to the certificate expiring you need to repeat the above process to create and install a replacement certificate
  3. Failure to renew a certificate will result in the application being unreachable since the certificate will be considered invalid

METHOD 2 – Creating Certificate with CertAccord Enterprise

Creating and installing certificates with CertAccord Enterprise is simple, easy, and doesn’t take a PKI expert.

For this article we are going to assume your enterprise PKI experts have already installed the CertAccord Enterprise Server and has configured it to work with Microsoft ADCS or other supported Certificate Authority products.

STEP 1 – Install CertAccord Enterprise Agent

If you don’t already have the CertAccord Agent installed, you can install it by copying the CertAccord Agent installer to your MacOS X system.   Then run the installer:

sudo hdiutil attach /tmp/cmbagent-version-platform.dmg 
sudo '/Volumes/CertAccord Installer version/cmbagent/version.app/Contents/MacOS/installbuilder.sh' \
   --mode unattended 
sudu hdiutil detach '/Volumes/CertAccord Installer version'

This command will install the Agent into the default location of /Applications/CertAccord.

STEP 2 – Register Agent

export PATH=/Applications/CertAccord/bin:$PATH 
cmb register server=myserver

Change myserver to be the hostname of the CertAccord Enterprise Server.

When you run this command, the Agent will download the CA trust information from the server, generate a private key locally (configured to adhere to the policies given by the server), and then submit the registration request to the server.

STEP 3 – Create Certificate

To create a web server certificate for use with Apache HTTPD or other web server, run the following command:

cmb cert create purpose=webserver

This command will automatically create a CSR, submit it to the enterprise CA, and install the certificate once issued. This is all done using the PKI policies configured on the CertAccord Enterprise Server and your enterprise CA. No knowledge of these policies or configuration requires are needed by the MacOS X system administrator when running this command.

Here is example output:

Creating Certificate PURPOSES: [WebServer]
Created certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT]
Saved certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] to AgentProfile
Apply Certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT]
Exported Certificate 634RJ65d [SUBJECT: "dune.contoso.com" PURPOSES: WebServer EXPIRES: Jul 14 2021 13:52:14 PDT] to /var/cmb/cert/dune.magnicomp.com-webserver.crt
Exported PrivateKey Grq8jB3h [RSA 2048] to /var/cmb/cert/dune.contoso.com-webserver.key
Applying certificate to Apache HTTP Web Server: ID: 634RJ65d PURPOSE: WebServer
COMMAND [/usr/sbin/service apache2 reload] ran successfully
Reloaded Apache HTTP Web Server
Apply certificate to Apache HTTP Web Server: ID: 634RJ65d RESULT: Succeeded

The output shows that a certificate was created, saved to the local Agent database, and a copy of the certificate was exported to /var/cmb/cert/dune.contoso.com-webserver.crt. The Apache HTTPD server was also reloaded so that it re-read its configured certificate files.

Even Better

In addition to creating a certificate from the command line using CertAccord Enterprise, you can also have CertAccord Enterprise automatically push (e.g. “auto enroll”) certificates to end-points running MacOS, Linux, and Windows. End-points can be placed in Device Groups in CertAccord or in Active Directory and then assigned Certificate Mandates which will deploy certificates to all end-points in the specific group.

Key Takeaways

A few key take-aways:

  1. Using the CertAccord Agent required no prior knowledge of the enterprise PKI policies for keys or certificates.
  2. Because the certificate was created by the enterprise CA and is not self-signed, the certificate is automatically verifiable by any application in the enterprise.
  3. The Agent manages the life-cycle of the certificate.  That means it will automatically renew the certificate without any human intervention.
  4. It’s easy to automatically enroll or push certificates to Mac, Linux, and Windows end-points using CertAccord Enterprise.

Summary

The CertAccord Enterprise Agent is a much easier and simpler means of creating trusted certificates on MacOS X.  It can lower IT costs through automated certificate creation and life-cycle management, improve security by reducing errors in creation and renewals, and be implemented as a bolt-on to your existing enterprise PKI.

More Information

 

Categories