Hi,
I don't immediately know what the problem is in your case, but here's a
document I wrote some time ago about ssl cert chains and calendar server -
maybe even during 10.6:
Background
Traditionally, a server's SSL certificate is signed by a well-known (root)
certificate authority (CA). The signing CA is trusted (or not) by a client when
the client consults the list of trusted root CA certs that is provided by Apple
in every copy of Mac OS X. These trusted roots live in
/System/Library/Keychains/SystemRootCertificates.keychain
For a server using a SSL cert that is signed by a known authority, use of that
cert is fairly straightforward: you provide the service the cert file and the
corresponding private key file; when the client connects, the cert is validated
against the client's list of trusted roots. It looks something like this:
Root CA | << trust evaluation >> [client's list of trusted roots]
|
\
Server cert
In this configuration, the iCal Server config would contain something like
shown below.
<!-- Public key -->
<key>SSLCertificate</key>
<string>foo.com.crt</string>
<!-- Private key -->
<key>SSLPrivateKey</key>
<string>foo.com.key</string>
But then...
For security reasons, CAs have recently begun to sign customer SSL certificates
not with their root CA, but rather with an intermediate CA. An intermediate CA
has a cert that was signed by the root CA. When the client tries to validate
the server's cert, it checks to see that the signer (the intermediate CA) is
trusted. This may be a problem, because the (newfangled) intermediate CA is
typically NOT in the list of the client's trusted roots. This causes the client
to throw warnings when connecting to the service over SSL.
Root CA |
|
\
Intermediate CA | << trust evaluation >> [client's list of trusted
roots]
|
\
Server cert
What Now?
Depends on who you ask. SSL is a rat's nest. For us (iCal Server), this means:
Create an SSL Authority Chain file. This file specifies each step in the SSL
authority chain, from the root down to the server cert. A graphical depiction
of such a chain is shown in the previous section.
Configure iCal server with an additional parameter that declares the location
of the SSL Authority Chain file you created above.
Constructing an SSLAuthorityChain file
The SSL authority chain file is literally a concatenation of the server cert,
any intermediate cert, and then the root cert. Be sure to specify them in the
correct order based on the trust hierarchy. The server cert should be the first
cert in the file, and the root should be the last. Each of these certificates
should be made available by the cert provider. A concatenated chain file might
look something like:
-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgIFArzGF0MwDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNVBAYT
AlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRowGAYD
VQQKExFHb0RhZGR5LmNvbSwgSW5jLjEzMDEGA1UECxMqaHR0cDovL2NlcnRpZmlj
YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5MTAwLgYDVQQDEydHbyBEYWRkeSBT
ZWN1cmUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxETAPBgNVBAUTCDA3OTY5Mjg3
MB4XDTA5MDQwMjE5MDU1N1oXDTEwMDMyNDIwMTczN1owPTEhMB8GA1UECwwYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMRgwFgYDVQQDDA9zYWdlbi5hcHBsZS5jb20w
ggEmMA0GCSqGSIb3DQEBAQUAA4IBEwAwggEOAoIBAQCizqn8jXCu3etpiCgO2EK0
iBp+ka5uko9PxCe3ErdxJAxiICpZoJ4yzr1/7YBw4g9uznGztQYMzLCemEfU0Zku
yOBY2wdROv5M8+/QncE7lMHxWD0PeKGPw8hzNwz6d9K19+DcYWP/gS/Ejwym8tSs
WcTORqqJfLNeiH8UVBPExF8MnJZBOrVzQs6cWS0wn0/1JVL9hA6MACyY0X5LFcPB
x8nZKZI5nvoCqZAs5CWJHf7oLJG8qTpDH4UnJnStp49FK8w1Z9y8XnujgrSVtnpE
GhkAAmAq4LLYJJrwME4kSilHaLrAIsbNPe9IdPeGEdKeHlzo8hespHmebt/xwOdZ
AgcBAAEAAQABo4IBwTCCAb0wDwYDVR0TAQH/BAUwAwEBADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2RzMS0zLmNybDBTBgNVHSAETDBK
MEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0
ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wgYAGCCsGAQUFBwEBBHQwcjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEoGCCsGAQUFBzAChj5o
dHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RfaW50
ZXJtZWRpYXRlLmNydDAfBgNVHSMEGDAWgBT9rGEyk2xF1uLuhV+auud2mWjM5zAv
BgNVHREEKDAmgg9zYWdlbi5hcHBsZS5jb22CE3d3dy5zYWdlbi5hcHBsZS5jb20w
HQYDVR0OBBYEFE29F4wllnd5DUwh/XOkM4k71D3uMA0GCSqGSIb3DQEBBQUAA4IB
AQAeHt2N7bHjph/sdtCxE1PhYwWSbxynsMGotpCAiJ1zYYbGlQR4l8uKZusbF8VU
BBcf6VIMqODbCQopzXtzlxvyNPiVWKnWLyHidqXuoAN5oe6qznUDgtxt1kZ/Lduc
+DkFwfsk4mix2EH0ExTPxXpVg0+ML8janhkBlzk4c3vH619hJRvnkVRypH9lL7m/
mM6Ln69n/IWtzWxTC+tHDJ9iqxaG2Eym2apaXdrFNDTLWD08zsO/8DpPnQ3BvG0d
VFxEvQP/goJcKtH/bxUkYqjpHOZirq+6wmXSN6l1SFdXyxwI2ih9GIY6VFDYuxyT
mn1MH/O+DVYluXyCO2OaF07X
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMTYw
MTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH
QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5j
b20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j
b20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTtwY6vj3D3H
KrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqVTr9vcyOdQm
VZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aLGbqGmu75RpR
SgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo7RJlbmr2EkRT
cDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgWJCJjPOq8lh8BJ
6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAwEAAaOCATIwggEu
MB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVHSMEGDAWgBTSxLDS
kdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEAMDMGCCsGAQUFBwEB
BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWRkeS5jb20wRgYDVR0f
BD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
c2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVHSAAMDgwNgYIKwYBBQUH
AgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTAO
BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBANKGwOy9+aG2Z+5mC6IG
OgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPIUyIXvJxwqoJKSQ3kbTJSMU
A2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL5CkKSkB2XIsKd83ASe8T+5o
0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9p0iRFEUOOjZv2kWzRaJBydTX
RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
U+4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
Configure SSLAuthorityChain in caldavd.plist
This part is pretty easy. Just add the following stanza to the config file:
<!-- SSL Authority Chain File -->
<key>SSLAuthorityChain</key>
<string>foo.com.chcrt</string>
We use 'chcrt' to denote 'chain cert', which is the concatenated representation
of the authority chain from server to root.
Errata
Odds and ends that may be useful in configuring or troubleshooting this stuff
Show cert details
In particular, two important attributes you'll see here are Issuer and Subject.
Issuer identifies the CA that signed this cert, and subject identifies the
owner of this cert. This is useful to verify the order of the certs in the
chain file.
openssl x509 -text -in foo.crt
Examine a keychain's contents
sudo security dump-keychain /System/Library/Keychains
SystemRootCertificates.keychain | grep alis
Remove a trusted cert from Keychain
Sadly, this works on 10.5.8 and later, but not 10.5.7. The argument after -c is
the name of the cert, which is shown on the 'alis' line of the dump-keychain
output.
sudo security delete-certificate -c "Entrust Certification Authority - L1B"
/Library/Keychains/System.keychain
Validate the SSL cert chain of a running service
Remember that each cert can be decoded if necessary; see above.
openssl s_client -showcerts -connect foo.apple.com:8443
On Feb 9, 2014, at 6:41 AM, Pascal Dallaire <pascaldalla...@cre-gim.net> wrote:
> Hello to the list,
>
> Running CalendarServer 4.2 on Snow Leopard, using the supplied SSL
> certificates that’s self-signed and expired. I tried to change to a CA
> certificate with information in plist about SSLCertificate, SSLAuthorityChain
> and SSLPrivateKey. The exact same files work a charm in Apache, but when
> trying in CalendarServer, I get an SSL handshake error :
> -----
> openssl s_client -connect mycalserver:8443
> CONNECTED(00000003)
> 45947:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_lib.c:182:
> -----
> openssl s_client -connect mycalserver:8443 -servername realnameofcalserver
> CONNECTED(00000003)
> 45960:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_clnt.c:602:
> -----
> I don’t know the problem here… This certificate was issued with a CSR made
> from the default OpenSSL on Snow Leopard (0.98r)
>
> Thanks whoever who could help
> Pascal
> _______________________________________________
> calendarserver-users mailing list
> calendarserver-users@lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/calendarserver-users
_______________________________________________
calendarserver-users mailing list
calendarserver-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/calendarserver-users
