Chapter 5. Securing Power Manager

Using Your Own SSL Certificates

Power Manager supports secure communications through the industry standard Secure Sockets Layer (SSL) protocol. Both third party and self-signed certificates are supported.

SSL provides a combination of authentication and encryption for your Power Manager network traffic. SSL is used to confirm the network connection is established with the computer you expect, and that the traffic between you and the destination is private.

SSL is used for all connections and can not be disabled. If no certificate is provided, Power Manager creates a self-signed certificate. Self-signed certificates ensure connections are secure, but can not be used for authentication purposes.

Keychain and Your SSL Certificate

Power Manager accesses SSL certificates and passwords through Mac OS X's Keychain framework.

Self-Signed Certificates

Power Manager will automatically create a suitable self-signed certificate. Self-signed certificates provide encryption but not authentication. For most environments, this is acceptable. Self-signed certificates are free and can be created using the tools included on your Mac.

The following guide is provided to help explain how you can create your own self-signed certificate embedded in a Keychain suitable for use with Power Manager. This process can be adapted to embed authenticated certificates - those signed by a third party Certificate Authority (CA) - in a Keychain.

[Note] Why certtool?

There are many ways to create a Keychain containing a certificate, private key, and identity on Mac OS X. We have chosen to use certtool in this guide because certtool is included with Mac OS X and reasonably straight forward.

Other tools such as OpenSSL and Certificate Assistant can be used to create your certificate.

Procedure 5.1. Creating a Self-Signed SSL Certificate

  1. Launch Terminal.Applications/Utilities/

  2. Enter the certtool command in Example 5.1, “certtool command to create a certificate and Keychain.”.

    Example 5.1. certtool command to create a certificate and Keychain.

    bash% certtool c c p=pm k=/Users/Shared/Default.keychain

    certtool command to create self-signed certificate in a new Keychain at /Users/Shared/Default.keychain. The Keychain will have the password pm.

    Walk through certtool's questions answering appropriately for your organisation. A sample session is covered in Example 5.2, “Sample certtool session: key pair.”, Example 5.3, “Sample certtool session: Relative Distinguished Name.”, and Example 5.4, “Sample certtool session: Confirmation.”.

    Example 5.2. Sample certtool session: key pair.

    Enter key and certificate label: My Power Manager Certificate
    Please specify parameters for the key pair you will generate.
      r  RSA
      d  DSA
      f  FEE
      e  ECDSA
    Select key algorithm by letter: r
    Valid key sizes for RSA are 512..2048; default is 512
    Enter key size in bits or CR for default: 
    You have selected algorithm RSA, key size 512 bits.
    OK (y/anything)? y
    Enter cert/key usage (s=signing, b=signing AND encrypting, d(derive AND sign): b
    ...Generating key pair...
    Please specify the algorithm with which your certificate will be signed.
      5  RSA with MD5
      s  RSA with SHA1
    Select signature algorithm by letter: s
    You have selected algorithm RSA with SHA1.
    OK (y/anything)? y

    Example 5.3. Sample certtool session: Relative Distinguished Name.

    You will now specify the various components of the certificate's
    Relative Distinguished Name (RDN). An RDN has a number of 
    components, all of which are optional, but at least one of 
    which must be present. 
    Note that if you are creating a certificate for use in an 
    SSL/TLS server, the Common Name component of the RDN must match
    exactly the host name of the server. This must not be an IP
    address, but the actual domain name, e.g.
    Entering a CR for a given RDN component results in no value for
    that component.
    Common Name       (e.g, : localhost
    Country           (e.g, US) : US
    Organization      (e.g, Apple Computer, Inc.) : Your Organisation
    Organization Unit (e.g, Apple Data Security) : Your Department
    State/Province    (e.g, California) : Your State
    Email Address     (e.g, :

    Example 5.4. Sample certtool session: Confirmation.

      Common Name       : localhost
      Country           : US
      Organization      : Your Organisation
      Organization Unit : Your Department
      State/Province    : Your State
      Email Address     :
    Is this OK (y/anything)? y
    ..cert stored in Keychain.

  3. The new Keychain containing the certificate must now be moved to /Library/Application Support/Power Manager/Keychains/Default.keychain.

    Enter the command in Example 5.5, “Moving the Keychain into place.”.

    Example 5.5. Moving the Keychain into place.

    bash% sudo mv /Users/Shared/Default.keychain "/Library/Application Support/Power Manager/Keychains/Default.keychain"

    mv the certificate Keychain into Power Manager's Application Support folder.

  4. Power Manager will start using your new certificate Keychain after the next restart; alternatively you can use the command sudo killall pmd to immediately relaunch Power Manager.