Importing Created Certificates into macOS KeyChain & Server App

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: Various similar commands that produce the correct files (4 files, all .pem)

It produced this output:

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

My web server is (include version): macOS Server 5.6.1

The operating system my web server runs on is (include version): macOS High Sierra 10.13.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes, via Remote Desktop (Full Desktop Privileges)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Remote Desktop

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.3.0

The issue I am experiencing is attempting to import these files into macOS Server. The app doesn't seem to recognize that these files are an SSL certificate, and therefore I am unable to add it to the app's Certificates panel.

I took a look at this post which had the same issue, but when I tried the solution I got the same error mentioned in this user's post:

It's not clear to me what solution you tried, especially since the solution in the other post was not presented in a completely comprehensive manner; plus, your own post appears unfinished.

The solution was to add the string "--key-type rsa" so that the generation command reads:

certbot -v certonly --key-type rsa --preferred-challenges=http --manual --config-dir ~/lets-encrypt --work-dir ~/lets-encrypt --logs-dir ~/lets-encrypt

Also, remove all the earlier non-working certificates and their aliases from the lets-encrypt tree before doing this, so you don't grab the old versions by mistake and think you failed.

I want to make sure that's what you did, before proceeding.


I did generate it using that command (with the additional "--key-type rsa") and it generated identical looking files, the only difference being the number iteration. Apparently, 5 is the limit, so I am unable to generate any more certificates right now with the same credentials.

TL;DR Yes, that is what I did.

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.

And to assist with debugging there is a great place to start is Let's Debug.


The size should have been different between rsa and ecdsa privkey. That said, I see from the logs that your 5th cert was rsa and the prior 4 were ecdsa (link here)

I don't know anything about your app so can't help but thought it worth to clarify this much.


This issue is with deploying the certificates, not making them. MacOS Server isn't great, but I don't really know of anything newer that's as easy to use on macOS. If you have any app recommendations I'd love to try something better (and less ancient).

One thing I will add, and I don't know how relevant it is to your configuration... In High Sierra, Mac OS Server began shedding a good portion of its functionality, and by Mojave it was basically a useless app. My server machine is running Server 5.2 on Sierra, which had the fullest complement of services (to my knowledge) before they started dropping off. This may be relevant to your problem, in that you may be trying to do something a later version just doesn't do.

The details are here.

It might also help to know exactly what features of Server you are trying to use. Some of them got absorbed into the main OS, while some of them (like Calendar) just evaporated. Unlike me (who uses it for Calendar) you may not even need to use Server.


I pretty much only use macOS Server to host my website, and also for DNS, but I don't care about the DNS stuff. I'm running a pretty old version that does have a lot of the features built in, including certificate management and web hosting. There is just something wrong with importing the .pem files into keychain and/or macOS Server. I don't understand why it won't work, and I can't seem to find much about it online.

1 Like

I found a solution to the certificate problem! macOS Server only accepts some weird type of file rather than the standard ones, and I found an article that explained it.

Here's the command line commands to convert to the correct file type:

sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/your_domain_name.tld/privkey.pem -in /etc/letsencrypt/live/your_domain_name.tld/cert.pem -certfile /etc/letsencrypt/live/your_domain_name.tld/fullchain.pem -out /etc/letsencrypt/live/your_domain_name.tld/letsencrypt_sslcert.p12 -passout pass:"admin_password"
1 Like

PKCS12 (aka .P12 or .PFX) are pretty common certificate related file types. Specifically, it's a container format that can hold multiple certs and private keys sort of like zip but for certs.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.