Installing the SSL Certificate

When the Certificate Authority approves your certificate request, the certificate will be sent to you. The certificate will include a server or root certificate, and may also include an intermediate certificate in the case of a certificate chain. The Certificate Authority may also issue instructions on installing the certificate within various server types. The most relevant of these instructions would be for Apache, which is the type used by MacPractice. The Apache instructions sent by the Certificate Authority may differ from the instructions below, however the most important part of any SSL Certificate installation will be installing the server key, intermediate certificate (where applicable), and certificate within the correct folders and editing the MacPracticeServer configuration file to point to these files using the exact file names as the files themselves.

  • server-cert.pem: This file is the server certificate, or root certificate. It is the public key in your key pair and will be placed in /Library/MacPracticeServer/Apache/Security/public.

  • server-ca.crt: This file is the Intermediate certificate and would only be used in the case of a certificate chain.

  • server-key.pem: This file is the private file in your key pair and was created in the CSR process.

Before replacing any of these files, make a backup of the current files in case they should ever need to be replaced. There is no way to recover the files. Just like MacPractice backups, the files should also be stored somewhere beyond just the MacPractice Server in case of machine failure.

To replace the files, make a backup of the the existing server-cert.pem and place the new certificate within /Library/MacPracticeServer/Apache/Security/public. Some Certificate Authorities will send the public key as text pasted within the email. This text can be copied and pasted to a blank text file to create the server certificate. Name this file server-cert.pem, and install the file in /Library/MacPracticeServer/Apache/Security/public.

Next, to install the Intermediate Certificate, copy and paste the text of the intermediate certificate to a blank text file. Name this file server-ca.crt, and install the file to /Library/MacPracticeServer/Apache/conf/.

The server-key.pem file, which was created during the CSR process, will need to be installed to /Library/MacPracticeServer/Apache/Security/private on MacPractice versions previous to 4.2.18. Later versions of MacPractice will have created this 2048 bit key file directly within the location, and manually replacement is not needed.

These files will need the proper permissions. Both files should have the following owner, group, and permissions set:

-rw-r--r--  1 _macpractice  admin

To check the permissions, type the following in Terminal:

To check the certificate

sudo chmod 644 /Library/MacPracticeServer/Apache/Security/public/server-cert.pem sudo chown _macpractice:admin /Library/MacPracticeServer/Apache/Security/public/server-cert.pem

To check the key
sudo chmod 644 /Library/MacPracticeServer/Apache/Security/private/server-key.pemsudo chown _macpractice:admin /Library/MacPracticeServer/Apache/Security/private/server-key.pem

Next, edit the config file to recognize the domain of your MacPractice Server. The MacPracticeServer.conf file is located in /Library/MacPracticeServer/Apache/conf . Open this file in TextWranger or TextEdit and look for the following line:

ServerName MacPracticeServer:1234

In this line, replace the "MacPracticeServer" with the full domain name of the server. This must match both the domain name of the server and the domain name for which the certificate was verified.

Next, three host sections will need to be edited to point to the three new certificate files. Within the same MacPracticeServer.conf file, locate the virtual host section. This section points to the server certificate, private key, and certificate chain. The following lines will need to be edited within the file:

  • SSLCertificateFile "/Library/MacPracticeServer/Apache/Security/public/server-cert.pem"

  • SSLCertificateKeyFile "/Library/MacPracticeServer/Apache/Security/private/server-key.pem"

  • SSLCertificateChainFile "/Library/MacPracticeServer/Apache/conf/server-ca.crt"

The filepaths associated to these lines will need to reflect the filenames and folders of each of the newly placed certificate files, and each of the lines will need to have the "#" removed in order to uncomment the line. An example of the virtual host section of the configuration file as it should look is below:

#Server Certificate:
#Point SSLCertificateFile at a PEM encoded certificate. If
#the certificate is encrypted, then you will be prompted for a
#pass phrase. Note that a kill -HUP will prompt again. Keep
#in mind that if you have both an RSA and a DSA certificate you
#can configure both in parallel (to also allow the use of DSA
#ciphers, etc.)
SSLCertificateFile "/Library/MacPracticeServer/Apache/Security/public/server-cert.pem"

#Server Private Key:
#If the key is not combined with the certificate, use this
#directive to point at the key file. Keep in mind that if
#you've both a RSA and a DSA private key you can configure
#both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile "/Library/MacPracticeServer/Apache/Security/private/server-key.pem"

#Server Certificate Chain:
#Point SSLCertificateChainFile at a file containing the
#concatenation of PEM encoded CA certificates which form the
#certificate chain for the server certificate. Alternatively
#the referenced file can be the same as SSLCertificateFile
#when the CA certificates are directly appended to the server
#certificate for convenience.
SSLCertificateChainFile "/Library/MacPracticeServer/Apache/conf/server-ca.crt"
To complete the process, restart Apache on the MacPractice Server with the following Terminal command:

sudo /Library/MacPracticeServer/Apache/bin/apachectl restart

Once the server has restarted, open /Library/MacPracticeServer/Apache/logs/error_log and look for timestamps after the restart. If any timestamps indicate that there is not a match, check that the correct certificate has been installed and that the domain name matches the certificate, the .conf file, and your DNS setup. Timestamps indicating there is not a match may look like the following:

[Wed Sep 28 14:50:06 2011] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?

or

[Wed Sep 28 14:50:06 2011] [warn] RSA server certificate CommonName (CN) `*.yourdomain.com' does NOT match server name!?