With Mac OS X Server, you can use Server Admin and the Certificate Assistant tools to create your private key for your server. In fact, when you start the server up, out of the box, one has already been created for you. You can use this key to create a certificate signing request (CSR) to send to your certificate authority (CA) to sign. If you do this, you will get a spiffy signed cert back, appropriate for securing your web server, chat server or a variety of other uses.
If you try to use this cert with your own version of Apache, however, you will encounter the default situation where httpd will ask for the password of that .crt file during the startup procedure.
Many admins choose to delete the password from this certificate to eliminate administrator intervention when restarting the service. The usual way this is done is to run the command openssl rsa -in /path/to/mycert.crt -out /output/path/ofmyclean.crt. (or the variant, openssl rsa -in key.pem -out newkey.pem if you are working with .pem-format certificates, which are the default if you use Server Admin.app to generate certs).
To run this command, you need to know the original password.
Intuitively, you might think that the password MOSXS uses to create this private key (and thus used to create the signed cert) would be the initial root password, or maybe the first eight characters of the serial number. Instead, it's a randomly generated password created by the system.
You can retrieve this password using the Keychain Access application. Search for the "Mac OS X Server certificate management" object of the type "application password". Double-click to examine this object and to reveal the password used by the system.
With this information, you can proceed with the openssl command to delete the password from your signed certificate. Note that you needn't have to worry about this if you're using the built-in Mac OS X services, since those programs will automatically consult the Keychain to get the password for the .crt file when starting up.
Leave a comment