Chapter 5. Securing Power Manager
Table of Contents
Using Your Own SSL Certificates
Power Manager supports secure communications through the industry standard Secure Sockets Layer (SSL) protocol. Both third party and self-signed certificates are supported.
SSL provides a combination of authentication and encryption for your Power Manager network traffic. SSL is used to confirm the network connection is established with the computer you expect, and that the traffic between you and the destination is private.
SSL is used for all connections and can not be disabled. If no certificate is provided, Power Manager creates a self-signed certificate. Self-signed certificates ensure connections are secure, but can not be used for authentication purposes.
Keychain and Your SSL Certificate
Power Manager accesses SSL certificates and passwords through Mac OS X's Keychain framework.
Power Manager will automatically create a suitable self-signed certificate. Self-signed certificates provide encryption but not authentication. For most environments, this is acceptable. Self-signed certificates are free and can be created using the tools included on your Mac.
The following guide is provided to help explain how you can create your own self-signed certificate embedded in a Keychain suitable for use with Power Manager. This process can be adapted to embed authenticated certificates - those signed by a third party Certificate Authority (CA) - in a Keychain.
There are many ways to create a Keychain containing a certificate, private key, and identity on Mac OS X. We have chosen to use certtool in this guide because certtool is included with Mac OS X and reasonably straight forward.
Other tools such as OpenSSL and Certificate Assistant can be used to create your certificate.
Procedure 5.1. Creating a Self-Signed SSL Certificate
Enter the certtool command in Example 5.1, “certtool command to create a certificate and Keychain.”.
Example 5.1. certtool command to create a certificate and Keychain.
bash%certtool c c p=pm k=/Users/Shared/Default.keychain
certtool command to create self-signed certificate in a new Keychain at
/Users/Shared/Default.keychain. The Keychain will have the password
Walk through certtool's questions answering appropriately for your organisation. A sample session is covered in Example 5.2, “Sample certtool session: key pair.”, Example 5.3, “Sample certtool session: Relative Distinguished Name.”, and Example 5.4, “Sample certtool session: Confirmation.”.
Example 5.2. Sample certtool session: key pair.
Enter key and certificate label:
My Power Manager Certificate
Please specify parameters for the key pair you will generate. r RSA d DSA f FEE e ECDSA Select key algorithm by letter:
Valid key sizes for RSA are 512..2048; default is 512 Enter key size in bits or CR for default: You have selected algorithm RSA, key size 512 bits. OK (y/anything)?
Enter cert/key usage (s=signing, b=signing AND encrypting, d(derive AND sign):
...Generating key pair... Please specify the algorithm with which your certificate will be signed. 5 RSA with MD5 s RSA with SHA1 Select signature algorithm by letter:
You have selected algorithm RSA with SHA1. OK (y/anything)?
Example 5.3. Sample certtool session: Relative Distinguished Name.
You will now specify the various components of the certificate's Relative Distinguished Name (RDN). An RDN has a number of components, all of which are optional, but at least one of which must be present. Note that if you are creating a certificate for use in an SSL/TLS server, the Common Name component of the RDN must match exactly the host name of the server. This must not be an IP address, but the actual domain name, e.g. www.apple.com. Entering a CR for a given RDN component results in no value for that component.
Common Name (e.g, www.apple.com) :
Country (e.g, US) :
Organization (e.g, Apple Computer, Inc.) :
Organization Unit (e.g, Apple Data Security) :
State/Province (e.g, California) :
Email Address (e.g, email@example.com) :
Example 5.4. Sample certtool session: Confirmation.
Common Name : localhost
Country : US
Organization : Your Organisation
Organization Unit : Your Department
State/Province : Your State
Email Address : firstname.lastname@example.org
Is this OK (y/anything)?
..cert stored in Keychain.
The new Keychain containing the certificate must now be moved to
/Library/Application Support/Power Manager/Keychains/Default.keychain.
Enter the command in Example 5.5, “Moving the Keychain into place.”.
Example 5.5. Moving the Keychain into place.
bash%sudo mv /Users/Shared/Default.keychain "/Library/Application Support/Power Manager/Keychains/Default.keychain"
mv the certificate Keychain into Power Manager's Application Support folder.
Power Manager will start using your new certificate Keychain after the next restart; alternatively you can use the command sudo killall pmd to immediately relaunch Power Manager.