Create a self-signed certificate

If your server doesn’t have an SSL certificate, or if you need another one, start by creating a self-signed certificate.

Create a self-signed certificate in the Server app

  1. Select Certificates in the Server app sidebar.

  2. Click the Action pop-up menu gear, then choose Show All Certificates.

  3. Click Add add, then choose Create a Certificate Identity from the pop-up menu.

  4. In the Name field of the Certificate Assistant, enter your server’s fully qualified host name (for example, server.example.com).

    Leave the other settings unchanged. Identity Type should be Self Signed Root, Certificate Type should be SSL Server, and “Let me override defaults” should be deselected.

  5. Click Create, then click Continue when prompted.

You can choose the new self-signed certificate for the server. For information, see Use an SSL certificate.

You can also use the new self-signed certificate to request a signed certificate from a Certificate Authority. For instructions, see Obtain a trusted certificate.

Create a self-signed certificate from the command line

  1. Log in to the server as root, locally through Terminal or remotely using ssh.

  2. Enter the following commands:

    1. $ cd /private/var/root/Library/Keychains/

    2. $ /usr/bin/certtool r csr.txt k=certkc c

    This use of certtool begins an interactive process that generates a CSR in the file csr.txt and creates a keychain named certkc.

  3. In the New Keychain Passphrase dialog, enter a password for the keychain, enter the password again to verify it, then click OK.

    Remember this password, because you’ll need it again later.

  4. When “Enter key and certificate label” appears in the Terminal window, enter a one-word key, a blank space, a one-word certificate label, then press Return.

    For example, you could enter your organization’s name as the key and mailservice as the certificate label.

    The following output appears:

    Please specify parameters for the key pair you’ll generate. r RSA d DSA f FEE Select key algorithm by letter:r RSAd DSAf FEE

  5. Enter r, then press Return.

    The following output appears:

    Valid key sizes for RSA are 512..2048; default is 512Enter key size in bits or CR for default:

  6. Enter a key size, then press Return.

    Larger key sizes are more secure, but they require more processing time on your server. Key sizes smaller than 1024 aren’t accepted by some certificate-issuing authorities.

    The following output appears:

    You have selected algorithm RSA, key size (size entered above) bits.OK (y/anything)?

  7. Enter y, then press Return.

    The following output appears:

    Enter cert/key usage (s=signing, b=signing AND encrypting):

  8. Enter b, then press Return.

    The following output appears:

    ...Generating key pair... Please specify the algorithm with which your certificate will be signed. 5 RSA with MD5 s RSA with SHA1 Select signature algorithm by letter:

  9. Enter s, then press Return.

    The following output appears:

    You have selected algorithm RSA with SHA1. OK (y/anything)?

  10. Enter y, then press Return.

    The following output appears:

    ...creating CSR... Enter challenge string:

  11. Enter a phrase or random text, then press Return.

    The following output appears:

    For Common Name, enter the server's DNS name, such as server.example.com. For Country, enter the country in which your organization is located. For Organization, enter the organization to which your domain name is registered. For Organizational Unit, enter something similar to a department name. For State/Province, enter the full name of your state or province.

  12. Enter the correct information at the prompts that appear, requesting the components of the certificate’s Relative Distinguished Name (RDN). Press Return after each entry.

    The following output appears:

    Is this OK (y/anything)?

  13. Enter y, then press Return.

    The following output appears:

    Wrote (n) bytes of CSR to csr.txt

    This indicates that you’ve generated a CSR and created the keychain that Mail service needs for SSL connections.

  14. Log out from the server.

    The following output appears:

    Valid key sizes for RSA are 512..2048; default is 512 Enter key size in bits or CR for default:

You can use the security command to administer keychains and manipulate keys and certificates. For more information, see the security(1) man page.