Go to the profile of Brent Kearney
Brent Kearney
Systems integrator, software developer, future gazer.

Mac OS X 10.11 (El Capitan) Server: Update LDAP/OpenDirectory SSL Certificate

I couldn’t find this information anywhere else, so here it is. This is how to add/update/replace an SSL certificate in Mac OS X 10.11 Server, for use with the Open Directory (dirserv) service.

First Step: Add your new certificate

To add a new SSL certificate to Open Directory, open the Server app (version 5), and go to the Certificates section to add your certificate. I won’t go into many details on how to do that since its fairly obvious, but generally there are 3 places to drag & drop files when you import a certificate:

  1. The private key (i.e. privkey.pem).
  2. The signed certificate (i.e. cert.pem).
  3. The extra non-identity certificate is the “chain” (i.e. chain.pem).

Second Step: Disable the Open Directory Service

Go to the Open Directory section of the Server app, and click the ON switch to the OFF position. Alternatively run “sudo serveradmin stop dirserv” on the command line.

Third Step: Remove the Old Certificate (if applicable)

If your directory service was previously using a certificate and you are replacing it with a new one that has the same primary CN name, i.e. “ldap.mydomain.com”, then you need to remove the old one in the Certificates section of the Server app. Simply highlight it and click the “-” button to remove it.

Fourth Step: Update the System Keychain

This is the non-obvious part. Open Directory searches the System Keychain for an “Identity Preference” item named OPENDIRECTORY_SSL_IDENTITY. You need to locate and edit that item to change it to your new certificate.

  1. Open the Keychain Access app. It’s in /Applications/Utilities.
  2. Use the Search feature to find the OPENDIRECTORY_SSL_IDENTITY item, or scroll to find it in the System keychain.
  3. Double-click it to edit, and from the “Preferred certificate” drop-down menu, select the new certificate that you added in the First Step.

Fifth and Final Step: Restart Open Directory

Restart Open Directory by switching it to “ON” in the Server app, or running “sudo serveradmin start dirserv” on the command line, and Bob’s your uncle.