Join Sean Colins for an in-depth discussion in this video Install a self-signed certificate, part of macOS Sierra for IT Administrators.
- [Instructor] SSL is a very deep and complicated subject. I've got a separate course on OpenSSL, elsewhere here in the library, if you're more interested in looking into SSL in-depth. But right here I wanted to just talk to all IT adminstrators and desktop-support technicians about SSL, and about how to install it properly, and when you might not even need to install it at all. We're going to start by going to the Keychain Access application here on our macOS system. And I'd like to point out that we have multiple keychains, we have multiple categories.
One of the categories is certificates. If you look at your login, or your system, you will notice that I have no custom certificates yet. We do have a system roots area down here, and I want to talk about how the roots work with trust. See, these are all root certificate authorities. These are authorities that are allowed to create certificates, and they chain back, those certificates chain back to these trusted roots. These roots are pre-installed by the company who provides the operating system.
So, Apple has their own list of trusted roots. Microsoft has the same. So, if you have a computer, you have a device, you have trusted system root certificates installed on your device by the manufacturer. So, whenever you go to a website that is secured by SSL, and it is chained back to a trusted certificate authority, the certificate you encounter out in the wild chains back to, mathematically, a trusted root certificate that you already have installed on your system.
But sometimes, as systems administrators, working for enterprise organizations, we may have to spool up our own certificate authority that can issue certificates for servers in our organization, or other systems within our organization. And if we do that, we have to get that trusted root certificate onto our client systems. That's why we're talking about this today. So, these trusted root certificates have multiple ways of getting onto your system. I am going to show you, of course, a couple, but one in particular that I think is very compelling.
First I'd like to point out that, if you just open up Safari, and you go to an HTTPS-protected website on your local network, as soon as you go to it, if the certificate is, as I've shown you over here in Keychain Access, not installed on your system, when you get there, you'll see the entire chain. You'll see that the leaf certificate, down here at the bottom, chains to an intermediate certificate, which chains to a certificate authority, and by the little red buttons with the white Xs in them, you'll see that none of them are trusted. But it gives you a checkbox that allows you to always trust the certificate authority.
You do so, you click continue, you enter your administrator's username and password, and it lets you straight in. The thing is, we have this open for a reason, if you look over here, it was installed in the login keychain, so that was only installed for this user, not the entire system. So, if we wanted to get this particular server's certificate installed, so that it would be trusted everywhere, how do we do that? Well, it's lucky that we're using a macOS server, because that makes it quite easy, and we can just show you the concept here.
Your server may vary, but in our macOS server we have a My Devices page that's associated with our profile manager. And if we click on Profiles in the My Devices area, we can look at the contents of the trust profile for the server. We can see that it contains a certificate. This is a MDM-based, mobileconfig profile with a certificate payload. I know that's a lot to take in, and we're going to talk about MDM later on, and we're going to have an entirely separate course addition for macOS Server, where we talk about how to create these things and deploy them.
But for right now, I just want to point out, we can click Install here. That will download, as you just saw, this, in the downloads folder, this mobileconfig profile, you can see it ends with .mobileconfig, and it is the trust profile, and it automatically opens up System Preferences, and it asks us, "Would you like to install this profile?" We can show the profile. We can see the contents of the profile. By scrolling through it we can see that it contains a root certificate authority. Fantastic! We click Continue. We click Install.
We enter our username and password. It installs the profile, and you see instantly in the System Keychain under certificates, we get our certificate authority. And this is exactly what we need in order to set up trust between our macOS system and our macOS server system. Now, this is all, of course, in support of a Profile Manager installation, but I'd like to point out that I have not enrolled this system. All we're dealing with at this point is the installation of a trust profile.
So, now communications between our macOS server and our macOS client can be, not only encrypted, but, because we have explicitly said, and I will click on this here so you can see it, that we're going to use custom trust settings... You know, if we select Always Trust here, then every bit of this is going to be constantly trusted. Close it, password again, update the settings, and we have now set this to be trusted, no matter what we're doing with it. But we've done that explicitly as an administrator, and, as you can see, we've done this in a way that is sort of, a little bit time-consuming, right? You don't necessarily want to do this on every single system, while you're sitting in front of it.
We will be talking about how to send a certificate to a macOS system, using a MDM profile, by pushing it out from the MDM server. This is something that's a relatively new thing that we can do in macOS. It's very exciting. But I wanted to show you a couple of different methods for getting certificates, both into the system keychain, and into the login keychain here on your macOS systems.
- Backing up macOS Sierra
- Restoring files
- Managing iCloud
- Working with storage
- Creating Apple File System disk images, containers, and volumes
- Reviewing logs in the console
- Using log commands
- Securing macOS Sierra
- Configuring Sierra via MDM