Xcode continuous integration, Subversion and self-signed certificate won't work altogether.

Similar Messages

• Statement on Firefox 33 and self-signed certificates

  Dear Mozilla,
  Your decision to drop support for self-signed certificates is causing problems all around in LANs, VPNs, and domain networks both home and corporate which employ SSL but use self-signed certs. Despite it being understanding that it is generally ill-advised to access sites with such problems, further deciding that this minority of exceptions should be abandoned altogether in a world web full of so many shades of grey and complex setups is not a responsible decision.
  Please implement methods for us to be able to coexist with these updates, as suddenly dropping support for the plenthora of routers, domains, websites and other sources using such a setup, many of which cannot be quickly updated or even at all, is a big problem.
  The internet engineering taskforce has not issued any such directives, nor have broader plans to drop support for self-signed certificates been announced. In the lack of a transitioning climate away from this setup or any plans to do so, Mozilla has unilaterally decided to remove support.
  Please remember that you have a large userbase and thus a responsibility to keep available means of access that are in common use by the world. Self-signed certificates still very much play a role in the ecosystem, and they will continue to exist for as long as there is a need for encryption on intranets.
  Thank you!

  it seems the problem is not self-signed certificate itself, but too short (from current point of view) RSA-keys.
  Please see
  https://support.mozilla.org/en-US/questions/1045971
  moreover, SSLv3 is now insecure, and is soon going to be disabled by default.
  https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

• Web Server 7 Admin Server and Self-Signed certificate

  Is it possible to create and install a self-signed certificate for the administration server in Sun Web Server 7. The default installation comes with a self-signed certificate but we would like to install our own certificate and not the certificate issued by "admin-ca-cert"
  Message was edited by:
  aar

  As far as I know its not a problem. You can install your own certificate. Make sure that the certificate nick name is changed accordingly in "server-cert-nickname" in server.xml section as shown below :
  <http-listener>
  <name>admin-ssl-port</name>
  <port>2224</port>
  <server-name>alamanac.india.sun.com</server-name>
  <default-virtual-server-name>admin-server</default-virtual-server-name>
  <ssl>
  <server-cert-nickname>Admin-Server-Cert</server-cert-nickname>
  </ssl>
  </http-listener>

• Server 2012 R2 - Remote Apps (RDWeb) and Self Signed Certificates!

  Hi all! I have been playing around with VM's on Microsoft Azure just to try and have some Windows Services facing externally that I can play around with and test.
  I have spun up a Windows Server 2012 R2 Server and installed Remote Desktop Services on it. I am looking to publish some remote apps and ideally I am looking to get it to work externally.
  The Server has been given an IP address which is fine, i have gone to my domain and actually setup cloud.mydomain.co.uk and DNS for this is pointing to the IP address of the server. This is all working and functioning! 
  Basically if I go onto my server and connect to the RDweb section and login, i can see my remote apps, i can download the laucher and open them, all works great! :)
  If however, I go to https://cloud.mydomain.co.uk/RDWeb it asks me to login, I can then see my remote apps but when I click on them I get a certificate stating that the computer cannot verify the identity of the RD Gateway. 
  What am i missing....what do I need to do to get this to work?
  If there is some sort of tutorial on how to set this up, fully, from start to finish then that would be great. Otherwise any advice on this would be muchly appreciated!!
  Thanks! :)
        

  #2 sounds like we would need 2 Essentials servers and we will not have that.
  We currently have Server 2008 R2 and have 2012 Standard licenses that are not yet used.
  We have much more than 75 users total, but 75 is more than the number of users that will probably take advantage of using RD Gateway any time soon.  It will probably take time to catch on.
  If RD Gateway usage was to get super popular and more than 75 users were depending on access to it, then we could financially justify paying to buy all the CALs needed to run RD Gateway without Essentials.  Right now, they are skeptical that it will
  be worth spending much money on this and don't want to invest a lot  of money up front.
  My understanding is that if we have 75 or fewer users using RD Gateway then we need to by no CALs, just apply a Server Standard Edition License to the server, but if we had 76, we would need to turn off Essentials and buy 76 new CALs.
  Or would we need to add 50 CALs to the 25 that automatically come with Essentials?
  Also does "turning off" Essentials mean we would have to reinstall and redeploy the RDG or is it just a matter of enabling the RD license server and adding purchased CALs?
  No, when you buy essentials you get the right to create 25 users that access the server, when you create the 26th user you will need to have 26 CAL and RDS CAL. 

• Problems with Creating a self-signed Certificate

  hi,
  I read the keytool Documentation and wanted to create my own self-signed certificate.
  ok, I followed the steps :
  1) keytool -keyclone -alias origkey -dest my_key
  2) keytool -selfcert -alias my_key -dname "cn=Stefan Gross, ou=Computers, o=notintersting, c=D"
  3) keytool -certreq -alias my_key (output in mycert.cer)
  4)keytool -certreq -alias my_key -sigalg X.509 -file newcert.cer
  .. Password Input...
  Keytool-Error: java.lang.Exception: Alias <my_key> does not exist.
  But it exists, see :
  [usr]$ keytool -list
  Keystore-Typ: jks
  Keystore-Provider: SUN
  new_key, 06.05.2003, keyEntry,
  So it exists, but why do I get the error ?
  So far,
  Stefan Gross

  stefan hi,
  i have tried to produce a certificate my_cert.cer and it went well. as far as i understood you have to create a keystore first. this keystore holds a key pair.
  and then using the keystore you can create as many certificates as possible based on the key pair.
  try following the steps below. it should work, i mean i have followed them and all was fine. you can find the original form of the following from documentation of keytool (sun).
  hope this time it'll work, let me know.
  cem.
  note: the last step is importing the certificate to the keystore which is not necessary if you only want the certificate.
  To set up a digital certificate,
  Generate a key pair.
  The keytool utility enables you to generate the key pair. The keytool utility that ships with the J2SE SDK programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
  To generate the keystore file, run the keytool utility as follows, replacing <keystore_filename> with the name of your keystore file, for example, server.keystore. If you are using the Tomcat server, the file must either be named .keystore and located in the home directory of the machine on which Tomcat is running, or you will need to tell Tomcat where the kestore file is by adding a keystoreFile attribute to the <Factory> element in the Tomcat configuration file or by specifying the location of the file on the Connector (8443) node of admintool.
  keytool -genkey -keyalg RSA -alias tomcat-server
  -keystore <keystore_filename>
  The keytool utility prompts you for the following information:
  Keystore password--Enter the default password, which is changeit. Refer to the keytool documentation for information on changing the password.
  First and last name--Enter the appropriate value, for example, JWSDP.
  Organizational unit--Enter the appropriate value, for example, Java Web Services.
  Organization--Enter the appropriate value, for example, Sun Microsystems.
  City or locality--Enter the appropriate value, for example, Santa Clara.
  State or province--Enter the unabbreviated name, for example, CA.
  Two-letter country code--For the USA, the two-letter country code is US.
  Review the information you've entered so far, enter Yes if it is correct.
  Key password for the Web server--Do not enter a password. Press Return.
  The next step is generate a signed certificate for this keystore. A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, continue with Creating a Self-Signed Certificate. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.
  Creating a Self-Signed Certificate
  This example assumes that the keystore is named server.keystore, the certificate file is server.cer, and the CA file is cacerts.jks. Run these commands in your <HOME> directory so that they are created there.
  Export the server certificate to a certificate file:
  keytool -keystore server.keystore -export -alias tomcat-server -file server.cer
  Enter the password (changeit).
  Keytool returns the following message:
  Certificate stored in file <server.cer>
  Import the new server certificate into the Certificate Authority file cacerts.jks:
  keytool -import -alias serverCA -keystore <HOME>/cacerts.jks
  -file server.cer
  Enter the password (changeit).
  Keytool returns a message similar to the following:
  Owner: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Issuer: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
  ST=CA, C=US
  Serial number: 3e39e3e0
  Valid from: Thu Jan 30 18:48:00 PST 2003 until: Wed Apr 30 19:48:00 PDT 2003
  Certificate fingerprints:
  MD5: 44:89:AF:54:FE:79:66:DB:0D:BE:DC:15:A9:B6:09:84
  SHA1:21:09:8A:F6:78:E5:C2:19:D5:FF:CB:DB:AB:78:9B:98:8D:06:8C:71
  Trust this certificate? [no]: yes
  Certificate was added to keystore
  ----------------------------------

• Issue with Self Signed Certificate Web Sites

  I tried searching, but wasn't really getting the answer or help I needed so I figured I would just start a new topic. At my work we have a test server that we use for development and we have a couple of Web Services on there that use Self Signed Certificates. At work, I have a PC (Windows 7) and a Mac Mini (OS X) both of which can connect to the Web Services just fine. But at home, I can't access any of the Web Services at all, my browsers and Xcode keep timing out. I know the Web Service is public, I've accessed it before from other machines outside of work it's just at home I can't. I have an iMac at home, with a linksys router and I don't know if it's a setting on my home computer or network that could be causing it but I don't even get the message in Safari, Chrome or Firefox that the site has a self signed or bad certificate so I know something isn't letting me communicate. Any help would be great (all of the answers I have found suggested to purchase a certificate, which in this case isn't appropriate since they are used for Development until we feel they are ready for production in which case we purchase the certificate). Thanks.

  new information:
  I tried an other lumia800, the https page worked.
  The difference of the two phone was only the language
  My phone language was english (US), the other was hungarian.
  After that, I switched my phone language settings to hungarian, and tada... the self signed https page worked.
  I switched back to english(US) and stopped working.
  than I tried english(GB) and worked again.
  I did not try other languages, but it looks, if I use english-US language, I cannot see any invalid certificated page
  In other language settings, there is no problem.

• Getting self-signed certificates working with mail

  Hi all,
  I am having trouble getting email certificates created with keychain access to work in mail.
  According to the Leopard help file, you simply have to go to Keychain access and create the certificate, which I did. After that if you create a message in mail with that account, there should be an icon showing that the message will be signed or encrypted if you have the recipients certificate installed. I cannot seem to get this to work. I have created the certificates specifically for email, the certificate shows in Keychain as well as a public and private key entry, but mail refuses to see it.
  Has anyone gotten this to work with Mail and self-signed certificates?
  Any help would be most appreciated.
  Thanks,
  RacerX

  Have you tried setting the "Always trust" property? Double click the certificate in Keychain Access and allow it to have always trust for email.
  Also, make sure that bundles are enabled for mail.
  (Forget the command, google for "defaults write com.apple.mail enableBundles")
  That did it for me.
  Br,
  T

• How to use Self Signed certificate with SSLServerSocket?

  Hello to all.
  I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
  The server must have it's own certificate, clients don't need one.
  I started with this
  http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
  To generate key for the server and a self signed certificate.
  To sum it up:
       Create a new keystore and self-signed certificate with corresponding public/private keys.
  keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
       Export and examine the self-signed certificate.
  keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
       Import the certificate into a new truststore.
  keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jksThen in my server code I do
  System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
  System.setProperty("javax.net.ssl.keyStorePassword", "123456");
  SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
  SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
  Socket s = sslServerSocket.accept();I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
  Can it be a problem with the certificate? When using -validity <days> in keytool the certificate gets self-signed, so it should work if I'm not wrong.
  I have also tried this solution
  serverKeyStore = KeyStore.getInstance( "JKS" );
  serverKeyStore.load( new FileInputStream("/scratch/stores/server.jks" ),
       "123456".toCharArray() );
  tmf = TrustManagerFactory.getInstance( "SunX509" );
  tmf.init( serverKeyStore );
  sslContext = SSLContext.getInstance( "TLS" );
  sslContext.init( null, tmf.getTrustManagers(),secureRandom );
  SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
  SSLServerSocket ss = (SSLServerSocket)sf.createServerSocket( port );and still it doesn't work.
  So what am I missing?

  You were right. I corrected the mistakes in the server code, now it's
       private SSLServerSocket setupSSLServerSocket(){
            try {
                 SSLContext sslContext = SSLContext.getInstance( "TLS" );
                 KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
                 KeyStore ks = KeyStore.getInstance("JKS");
                 ks.load(new FileInputStream(_KEYSTORE), _KEYSTORE_PASSWORD.toCharArray());
                 km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
                  * Da usare con un truststore se serve autenticazione dei client
                  * TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
                 tm.init(ks);*/
                 sslContext.init(km.getKeyManagers(), null, null);
                 SSLServerSocketFactory f = sslContext.getServerSocketFactory();
                 SSLServerSocket ss = (SSLServerSocket) f.createServerSocket(_PORT);
                 return ss;
            } catch (UnrecoverableKeyException e) {
                 e.printStackTrace();
            } catch (KeyManagementException e) {
                 e.printStackTrace();
            } catch (NoSuchAlgorithmException e) {
                 e.printStackTrace();
            } catch (KeyStoreException e) {
                 e.printStackTrace();
            } catch (CertificateException e) {
                 e.printStackTrace();
            } catch (FileNotFoundException e) {
                 e.printStackTrace();
            } catch (IOException e) {
                 e.printStackTrace();
            return null;
       }and on the client code
  private SSLSocket setupSSLClientSocket(){
       try {
            SSLContext sslContext = SSLContext.getInstance( "TLS" );
            /* SERVER
            KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
            km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
            KeyStore clientks = KeyStore.getInstance("JKS");
            clientks.load(new FileInputStream(_TRUSTSTORE), _TRUSTSTORE_PASS.toCharArray());
            TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
            tm.init(clientks);
            sslContext.init(null, tm.getTrustManagers(), null);
            SSLSocketFactory f = sslContext.getSocketFactory();
            SSLSocket sslSocket = (SSLSocket) f.createSocket("localhost", _PORT);
            return sslSocket;
       } catch (KeyManagementException e) {
            e.printStackTrace();
       } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
       } catch (KeyStoreException e) {
            e.printStackTrace();
       } catch (CertificateException e) {
            e.printStackTrace();
       } catch (FileNotFoundException e) {
            e.printStackTrace();
       } catch (IOException e) {
            e.printStackTrace();
       return null;
  }and added a System.out.println(sslSocket); after every incoming message (server side) and SSL is now fully working!
  So my mistakes were:
  [] Incorrect setup done by code
  [] Incorrect and insufficient println() of socket status
  Now that everything works, I've deleted all this manual setup and just use the system properties. (They MUST be set before getting the Factory)
  SERVER SIDE:
  System.setProperty("javax.net.ssl.keyStore", _KEYSTORE);
  System.setProperty("javax.net.ssl.keyStorePassword", KEYSTOREPASSWORD);
  SSLServerSocketFactory f = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
  SSLServerSocket sslServerSocket = (SSLServerSocket) f.createServerSocket(_PORT);
  CLIENT SIDE:
  System.setProperty("javax.net.ssl.trustStore", "/scratch/stores/client.jks");
  System.setProperty("javax.net.ssl.trustStorePassword", "client");
  SSLSocketFactory f = (SSLSocketFactory) SSLSocketFactory.getDefault();
  SSLSocket sslSocket = (SSLSocket) f.createSocket(_HOST, _PORT);
  And everything is working as expected. Thank you!
  I hope my code will help someone else in the future.

• How do I override self-signed certificate old ssl blocking.

  My hard drive failed and was replaced by my desktop support team. As a result, I had to re-install FireFox, my preferred browser to provide console connections to my production servers. These connections are old, firmware platforms that are not updatable behind multiple firewall layers. They use old versions of ssl and self signed certificates. Your new browser simply blocks access. Without the ability to override permanently this 'feature', I am unable to access the consoles of servers doing billions of dollars in business. I have a work-around in place with other browsers.

  So, you are saying that EVERY time I need to access this type of server on my own internal network that is not visible anywhere, I have to go thru this rigamarole of this add on thing, because YOU have decided I can no longer access my own servers in my own network? If there is no permanent fix, I will find another browser that will do the job, and this will be uninstalled across the enterprise, because it becomes very unusable in crisis situations and even during a normal workday, because of the unnecessarily complicated process that has to be done each time. Unbelievable gall. I am speechless. Sure glad I discovered it when it was not urgent. I am sure glad you all are smarter than I am. Sheesh.

• DS6.3 replication and sun self signed certificate

  1. I am creating a replication agreement using the dscc and am prompted to choose:
  Authenticate using simple authentication and use a non-secure connection
  Authenticate using simple authentication and use a secure connection
  Authenticate using a certificate and use a secure connection
  I would like to choose the second option "Authenticate using simple authentication and use a secure connection" since I am replicating to another company division on another subnet in another building.
  Does this option take into account the installed certificates? Can I do this with a sun self signed certificate that I got by default at install? And if so can I renew it if it is expired?
  In my deployments I have used my own self signed certs and store bought certs. Since I know the other server has the sun cert, I was thinking I could just use that, and not do any root cert exchanges.

  Yes, you can. By default the certs that come when instance is created expire in 90 days and you can renew the cert easily using certutil. But you have to change the cert's trust properties so it can be used as a client as well.
  It's best you use CA signed certificates that last for longer, that way you can use it with normal apps as well. If this does not help, please post again.
  http://docs.sun.com/app/docs/doc/820-2763/bcarh

• Self Signed Certificates vs. GnuPG key and Web of Trust

  I'm not totally sure where to ask this question, though this is the best place I can think of.
  Wanting to be able to digitally sign my emails, and I can use a self signed certificate, or get one from CAcert.org (which, as far as I can tell, is also a self signature)...
  Whereas with GnuPG, the keys are certified based on the web of trust.
  Is there any kind of web of trust for the certificates?
  Russell

  Your private key is stored in the keystore (.pfx or .p12)
  file that adt created for you when you created your self-sign
  certificate. The file itself is protected by the password you
  entered. Don't ever give this file to anyone, and under no
  circumstances should you give the password to anyone.
  The public key is also stored in the same file. You can
  export the public key, embedded in a certificate, from the keystore
  file, although you likely won't have any need to do that.
  If the resulting .air file is ever modified then the
  application won't install. There's no need for users to check the
  hash or anything like that to validate the file; it's all done
  automatically as part of the installation process.
  Hope that helps,
  Oliver Goldman | Adobe AIR Engineering

• How to erase all self signed certificates and force Server to use Signed SSL

  I have been using a poorly managed combination of self-signed SSL certificates and a free one. I have purchased a good SSL from Digicert and am trying to configure the server to use it across the board. All of the services seem to be using it, but when I try to manage the server remotely, I seeing a self-signed certificate instead.
  I look under the system keychain in K-Access and there are several self signed certificates there (including the one that I am seeing when I try to remote manage).
  Can I replace those self-signed certs with the new one some how?

  Don't delete those.  However, you are on the right track.  Follow these steps to resolve.
  1:  Launch Keychain Access
  2:  Select the System Keychain
  3:  Find the com.apple.servermgrd IDENTITY PREFERENCE (looks like a contact card) and double click to open it
  4:  In the Preferred Certificate popup, change com.apple.servermgrd to your purchased certificate
  5:  Press Save Changes to save.
  6:  Reboot the server or kill the servermgrd process to restart the service.
  That should resolve your issue.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available on the iBooks store

• How pass client credentials to ws client and accept self signed certificate

  How do you connect to a web service over ssl and accept self-signed certificates. I generated the client using JAX-WS but i ran into two problems. First of all, how do you pass the client credentials? And second, how can you accept a self-signed certificate?

  Thanks for your comments Jason.
  I'm not quite sure why the certificate has client auth. It does seem to be a misconfiguration, but I do see both 7.3.1 & 7.3.2 on the cert. That seems like a possible fix, but in a backwards way.  I can get those certificates reissued, but I'm confused
  as to why config manager itself is not installing per the site settings.
  My default install is via a vbs script you wrote (1.6.5).  The other methods I've tried in this particular instance are by browsing to the server and running ccmsetup.exe from explorer out of my sms_<site> directory, and by using command line
  specifying the /mp:mp.mysite.com
  I looked for command line switches to use, but there's no /NoUsePKI switch or /UseSelfSigned...
  any suggestions for a better installation method?

• Self-signed certificate and Microsoft Git Provider for Vistual Studio 2013

  I am setting up an in-house Git server with a self-signed certificate for SSL.
  How do I configure Visual Studio 2013 with Microsoft Git Provider to allow connections to projects with a self-signed certificate?
  Visual Studio gives med the following error message: 
  "An error occurred. Detailed message: An error was raised by libgit2. Category = Net (Error).
  An error occurred while sending the request."
  When I use Fiddler to decode the SSL connection, everything works great.

  Hi,
  I think your issue isn't related to the forum. I will move the thread to "Where is the forum for..." forum.
  Thanks for your understanding.
  Regards.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• How to replace an expiring self-signed certificate?

  Well, I've successfully (I THINK) replaced two of the three certificates that are expiring.
  First off - 90% of what's in the Security manual concerning certificates is useless to this issue. I don't want to know how the watch is made - I just want to tell time! In fact there is a GLARING typo on Page 167 of the Snow Leopard Server Security Configuration Manual showing a screenshot of the Certificate Assistant in Server Admin that is just plain wrong!
  It's clear there is no way to RENEW the certificate. You have to delete the old one and replace it with a new certificate.
  The issue I have is that with all the services using the certificate, I don't know what the impact to the end-users is going to be when I delete that expiring certificate.
  It appears that a certificate is created automatically when the OS is installed, although I installed the OS Server on a virtual machine and I didn't see where it got created, nor was I given any input during the creation (like extending the expiration date).
  I don't know whether those certificates are critical to the running of the OS or not, but I went through the process of creating a new certificate in Server Admin. I deleted the expiring certificate. Because the two servers on which the expiring certificate was deleted does not have any services running that require a certificate (such as SSL on my mail server), nothing bad seems to have happened or been impacted negatively.
  I did, however, name the new certificate the exact same thing as the old certificate and tried to make sure that the parameters of the new certificate were at least as extensive as the old certificate. You can look at the details of the old certficate to see what they were.
  Here's the "critical" area of the certificate that was "auto-created" on my virtual server. (It's the same as the one on my "real" server.
  http://screencast.com/t/zlVyR2Hsc
  Note the "Public Key Info" for "Key Usage": Encrypt, Verify, Derive. Note the "Key Usage" Extension is marked CRITICAL and it's usage is "Digital Signature, Data Encipherment, Key Cert Sign". Extended Key Usage is also critical and it's purpose is Server Authentication.
  Here's a screenshot of the default certificate that's created if you create a new self-signed certificate in Server Admin:
  http://screencast.com/t/54c2BUJuXO2
  Note the differences between the two certificates. It LOOKS to me like the second certificate would be more expansive than the default issued at OS Install? Although I don't really care about Apple iChat Encryption.
  Be aware that creating certificates starts to populate your server Keychain.
  http://screencast.com/t/JjLb4YkAM
  It appears that when you start to delete certificates, it leaves behind private keys.
  http://screencast.com/t/XD9zO3n16z
  If you delete these keys you get a message warning you about the end of the world if you delete private keys. I'm sorry if your world melts around you, but I'm going to delete them from my Keychain.
  OK, now I'm going to try to create a certificate that is similar to the one that is created at start-up.
  In Server Admin, highlight your server on the sidebar and click the "Certificates" tab in the icon bar.
  Click the "+" button under your existing certificate and select "Create a Certificate Identity". (This is how I created the default certificate we just got through looking at except I clicked through all the defaults.)
  Bypass "Introduction".
  In the "Create Your Certificate" window I set the "Name" as exactly the same as the name of the expiring certificate. I'm HOPING when I do this for my email server, I won't have to go into the services using the certificate and select the new one. On the other hand, naming it the same as the old one could screw things up - I guess I'll know when I do it later this week.
  The "Certificate Type" defaults to "SSL Server" and I think this is OK since that's what I'll be using this certificate for.
  You HAVE to check the "Let me override defaults" if you want to, for example, extend the expiry period. So that's what I want to do, so I checked it.
  In the next window you set the Serial Number and Validity Period. Don't try typing "9999" (for an infinite certificate) in the "Validity Period" field. Won't work - but you CAN type in 1826 (5 years) - that works - Go Figure!??? You can type in a bigger number than that but I thought 5 years was good for me.
  The next part (Key Usage Extension) is where it gets sticky. OF COURSE there is NO DOCUMENTATION on what these parameters mean of how to select what to choose.
  (OK here's what one of the "explanations" says: "Select this when the certificate's public key is used for encrypting a key for any purpose. Key encipherment is used for key transport and key wrapping (or key management), blah, blah, blah, blah, blah blah!") I'm sure that's a clear as day to you rocket scientists out there, but for idiot teachers like me - it's meaningless.
  Pant, pant...
  The next window asks for an email address and location information - this appears to be optional.
  Key Pair Information window is OK w/ 2048 bits and RSA Algorithm - that appears to be the same as the original certificate.
  Key Usage Extension window
  Here's where it gets interesting...
  I brought up the screenshot of the OS Install created certificate to guide me through these next couple of windows.
  Since the expiring cert had "Digital Signature, Data Encipherment, Key Cert Sign" I selected "Signature, Data Encipherment and Certificate Signing".
  Extended Key Usage Extension...
  Hoo Boy...Well, this is critical. But under "Capabilities" it lists ANY then more stuff. Wouldn't you THINK that "ANY" would include the other stuff? Apparently not..."Learn More"?
  Sorry, folks, I just HAVE to show you the help for this window...
  +*The Extended Key Usage Extension (EKU) is much like the Key Usage Extension (KUE), except that EKU values are defined in terms of "purpose" (for example, signing OCSP responses, identifying an SSL client, and so on.), and are easily extensible.  EKU is defined with object identifiers called OIDs.  If the EKU extension is omitted, all operations are potentially valid.*+
  KILL ME NOW!!!
  OK (holding my nose) here I go...Well, I need SSL Server Authentication (I THINK), I guess the other stuff that's checked is OK. So...click "Continue".
  Basic Constraints Extension...
  Well, there is no mention of that on the original certificate, so leave it unchecked.
  Subject Alternate Name Extension...
  Nothing about that in the original certificate, so I'm going to UNCHECK that box (is your world melting yet?)
  DONE!!!! Let's see what the heck we got!
  http://screencast.com/t/QgU86suCiQH
  Well, I don't know about you but that looks pretty close for Jazz?
  I got some extra crap in there but the stuff from the original cert is all there.
  Think we're OK??
  Out with the old certificate (delete).
  Oh oh - extra private key - but which is the extra one? Well, I guess I'll just keep it.
  http://screencast.com/t/bydMfhXcBFDH
  Oh yeah...one more thing in KeyChain Access...
  See the red "X" on the certificate? You can get rid of that by double clicking on the certificate and expanding the "Trust" link.
  http://screencast.com/t/GdZfxBkHrea
  Select "Always Trust".
  I don't know if that does anything other than get rid of the Red "X", but it looks nice. There seem to be plenty of certificates in the Keychain which aren't trusted so maybe it's unnecessary.
  I've done this on both my file server and my "test" server. So far...no problems. Thursday I'll go through this for my Mail server which uses SSL. I'm thinking I should keep the name the same and not replace the certificates in the iCal and Mail service which use it and see what happens. If worse comes to worse, I may need to recreate the certificate with a different name and select the new certificate in the two services that use it.
  Look...I don't know if this helps anyone, but at least I'm trying to figure this idiocy out. At least if I screw up you can see where it was and, hopefully, avoid it yourself.
  If you want to see my rant on Apple's worthless documentation, it's here.
  http://discussions.apple.com/thread.jspa?threadID=2613095&tstart=0

  to add to countryschool and john orban's experiences:
  using the + Create a Certificate Identity button in Server Admin is the same thing as running KeyChain Access and selecting Certificate Assistant from the app menu, and choosing Create a Certificate. Note that you don't need to create a Certificate Authority first.
  in the second "extended key usage extension" dialog box, i UN-checked Any, PKINIT Server Authentication, and iChat Encryption. this produced the closest match to the server's default self-installed certificate.
  when updating trust settings in Keychain Access, the best match to the original cert are custom settings - set Always Trust for only SSL and X.509 Basic Policy.
  supposedly you can use Replace With Signed or Renewed certificate button from Server Admin and avoid needing to re-assign to services. however i was unable to get this to work because my new cert didn't match the private key of the old. for those interested in going further, i did figure out the following which might be helpful:
  you can't drag and drop a cert from Keychain Access or Cert Manager. you need the actual PEM file. supposedly you can hold down the option button while dragging, but this didn't work for me. however you can view the certificates directly in etc/certificates. but that folder is hidden by default. a useful shortcut is to use Finder / Go To Folder, and type in "/private/etc/certificates"
  now, on my system the modification date was the same for old and new certificates. why? because it seems to be set by when you last viewed them. so how do you know which is which? answer: compare file name to SHA1 Fingerprint at bottom of certificate details.
  after you delete the old certificate, it will disappear in Keychain Access from "System" keychains. however in "login" keychains the old one will still be there but the new one won't. it seems to make sense to delete the old one from here and add the new one. somebody tell me if this is a bad idea. the + button does not work easily for this, you need to drag and drop from the etc/certificates folder.
  lastly, the "common name" field is the server/host name the client will try to match to. you can use wildcard for this, e.g. *.example.com. if you need to, you can use the Subject Alternate Name to provide an alternative name to match to, in which case the common name field will be ignored, which is why by default the dNSName alternate field defaults to the common name. more info here: http://www.digicert.com/subject-alternative-name-compatibility.htm.
  maybe that's hopeful to somebody. but i stopped there since things seem to be working.
  last note, which you probably know already - if you don't want to bother installing the certificate in your client computers and phones, you can select Details when the first trust warning pops up and select Always Trust.
  now, we'll see how everything works once people start really using it...