About Profile manager renew code signing cert

Similar Messages

• Argh! Profile Manager and Code-Signing of profiles

  I am setting up Profile Manager in Mavericks with Server.app 3.0.1.
  I have DNS correctly setup, I have created an OD Master for Profile Manager, Profile Manager is running and network users can login and I can setup profiles. I also have the https site working properly for clients although that needed some help.
  We have a self-signed root CA and off that we have two intermediate CAs, one for signing server SSL certificates, and one for signing codesigning certificates. On my server I have installed the rootCA, and the intermediate CAs and of course the server SSL certificate itself. As mentioned initially I had a problem with the https site on the server and what was happening was that the server was not sending the intermediate certificate along with the server certificate to clients. (The clients already have our rootCA certificate installed and trusted.)
  As a result the chain was incomplete and clients did not trust the http site. I tracked this down to the files in /etc/certificates it turned out that of the four files for the server certificate i.e. .key.pem, .chain.pem, .concat.pem and .cert.pem that the .chain.pem did not contain the intermediate CA. I replaced it with the intermediate CA pem file and restarted Apache and clients now get the full chain and can therefore trust the https site.
  My problem now is with the codesigning certificate, this also has been selfsigned this time by the intermediate codesigningCA. It is accepted by Profile Manager and it does sign the profiles. However when I download the Trust profile and try installing it, it comes back unverified. (If it was unsigned it would say unsigned instead.) This trust profile contains a copy of the server certificate and the rootCA certificate but does not contain the intermediate codesigningCA certificate.
  I tried the same trick of swapping out the codesigning .chain.pem file in /etc/certificates but this did not help. I am currently stuck, any suggestions from any one?
  Thanks.

  I would really appreciate being walked through these steps. I just upgraded to Yosemite and Server.app 4 and am dealing with all the brokenness.
  Profile Manager does not show a code signing certificate when I ask it to sign configuration profiles.
  I DO NOT have the Code Signing Certificate in my keychain created when OD was created.
  I DO have the four code signing certificate files:
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.cert.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.chain.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.concat.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem
  Furthermore, when I search my System keychain passwords, for <UUID hash>, I see that have the password that decrypts these pem's, e.g. via the openssl command
  openssl rsa -outform der -in 'host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem' -out 'host.domain.tld.Code Signing Certificate.<UUID hash>.key'
  What's the specific step-by-step to convert these four files into something that Profile Manager can use to sign configuration profiles?
  I am stuck.

• Profile Manager - no code signing certificate?

  I'm starting with a clean install of Lion Server. DNS is on an Xserve running Leopard Server.
  - CA signed certificates in place
  - DNS working fine
  - I create an OD Master (I've done this through Server.app, Server Admin and from hitting the "configure" button in Profile Manger, which triggers building an OD Master), and when the OD Master is built, an OD-based CA is created along with an OD-based intermediate certificate, but (and this is my problem), the OD-based code signing certificate is never produced, thus I don't have a code signing certificate to select when trying to enable "sign configuration profiles"?
  This is driving me insane. Anyone know why the code signing certificate isn't being generated?
  Thanks,
  Kristin.

  I'm starting with a clean install of Lion Server. DNS is on an Xserve running Leopard Server.
  - CA signed certificates in place
  - DNS working fine
  - I create an OD Master (I've done this through Server.app, Server Admin and from hitting the "configure" button in Profile Manger, which triggers building an OD Master), and when the OD Master is built, an OD-based CA is created along with an OD-based intermediate certificate, but (and this is my problem), the OD-based code signing certificate is never produced, thus I don't have a code signing certificate to select when trying to enable "sign configuration profiles"?
  This is driving me insane. Anyone know why the code signing certificate isn't being generated?
  Thanks,
  Kristin.

• On Mountain lion Server, renewing profile manager's code signing certificate

  Hello,
  I follow the article : HT5358 and i have always this error : certadmin Cannot find the certificate: Certificat de signature de code myserver.domain.fr.
  Is somebody can help me ?!
  Thanks !!!

  Hello!
  I just solved my problem - I read the KB article again and there it says
  "When entering the hexadecimal serial number, ensure that all letters are entered in lower case."
  Maybe it is the same with your problem.
  Bye,
  Christoph

• InCommon Code Signing Cert not working in Profile Manager

  We acquired a Code Signing Certificate from InCommon for signing profiles, and it doesn't want to work with Profile Manager.
  In the Certificates section we have our working SSL cert for the web server, and self-signed SSL and Code Signing certs.
  When I try to import the p7s file it lists four non-identity certificates and then says that it can't be used as a code signing certificate. 
  Has anyone ever managed to get an InCommon code signing cert to work with OSX Server?

  Hello,
  In RFC SAP-OSS, i maintained my S-user id and its password.
  As already told my router connectivity and   SAPOSS rfc working fine.
  regards
  Vinayag.K.C

• Code signing cert error using Digicert - Unable to build a valid certificate chain for the signer

  Steps to fix this error on code signing adobe air using .p12 cert from Digicert - Unable to build a valid certificate chain for the signer
  a. Open Firefox and browse to https://www.digicert.com/digicert-root-certificates.htm
  b. On the middle of the page, download -
  DigiCert Assured ID Code Signing CA-1
  Valid until: 10/Feb/2026
  Serial #: 07:F4:73:6F:AF:EF:40:8A:1F:66:40:F2:65:D1:0A:C1
  Thumbprint: B170A10819BEA936905D719E643399783E1F4567
  Download
  c. Install the cert in Firefox
  d. Once done, export again the code signing cert from digicert, through (click Firefox -> Preferences -> View Certificates -> HIghlight the digicert code signing cert -> click Backup)
  e. Done, the newly exported file should now have the valid certificate chain and that should fix the error "Unable to build a valid certificate chain for the signer"
  Even though this is from Digicert, this should also work for other Certificate Authority providers assuming you download your provider's root cert for code signing.
  Regards,
  Reigner S. Yrastorza

  Are you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
  If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
  If you are using RoboHelp, which version?
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• SSL/Code Signing Certs. Vanished!?!?

  ever since i have upgrade to OS X 10.10 and OS X Server 4 i have been experiencing random problems. 2 Days ago my server alerted me saying there were no valid certificates, and its falling back to a fallback SSL certificate. I have no idea what happened. I went to my keychain access and i have all certificates listed. I am not to familiar with OS X Server, I've only had it since June 2014. I have tried to create certificates and Server tells me it fails. Also since the upgrade i have felt my Open Directory has been acting up. I say this because network users are not showing up on any computers anymore. I can't turn on Profile Manager anymore. I have no code signing certificates either. Also ever since the upgrade i haven't been able to access websites outside of my network. I also couldn't add them to the access. Some services are only available at .local, some are available at my ISP IP, and some are available at my FQDN...I don't understand what has happened since the upgrade as i felt everything went fine. oh and also since the upgrade, it doesn't look like my server has been backing up which really ****** me off! Any help will be most helpful.

  Unfortunately, I don't exactly have an answer, but for what it's worth: This happened to me as well after I removed an existing OD Master from my Server after I upgraded to Server v4 and OD was behaving badly. After I destroyed the OD, suddenly the certificate was just deleted from /etc/certificates as well as the System keychain – although it was configured to secure all other services as well!
  I wasn't able to import the files from a Time Machine backup either, since I didn't export them to .pk12 before. You might have luck with reimporting your certificates from a Backup (path/to/tm-backup-HDD-root/etc/certificates/your-server-hostname.longstringgib berish.pem-or-key) using the command in this thread: http://superuser.com/a/846313 (original answer: http://stackoverflow.com/questions/8874164/export-public-key-from-keychain-acces s/11979625#11979625)
  BUT: They only talk about importing certs you previously exported with Keychain, so I don't know if it'll work with the files from /etc/certificates.
  So a piece of advice for the future: Before upgrading/updating your Server, export your SSL certificates to .pk12 so you can re-import them to the System keychain. I ended up restoring the Server from a backup from 2 hours before the certs vanished – which produced a whole lot of other problems. Upgrading to Server v4 seems as buggy as previous upgrades …
  /EDIT
  I just re-read your post, and if the certs are still showing up in your System keychain (not the login!), this might do the trick already: OS X Server: Access Controls might prevent a certificate identity from working with Server services - Apple Support

• Few questions about Profile Manager

  As i know, profile manager will install the following profile on the enrolled iPad.
  - Trust Profile > Code Signing Certificate
  - Remote Management > Device Managment Identiity Certificate
  But the validation of above certificates just 1 year by defaults.
  My questions are:
  1.  Is there any way can regenerate the certificate for 10 years? Due to i don't want to re-enroll the iPad every year.
  2.  The vaild period of Device Managment Identiity Certificate is "The date of enrollment" to "The date of enrollment + 1 year". (e.g: 1/6/2012 - 1/6/2013) I would like to know if this certifcate expired, what will happen?

  Well, I know this is an old thread but did you ever find out? Mine expired and everything stopped working. Couldn't push any settings or update device info. I got a button dialog on the profile in Settings saying "This profile has expired. Update this profile for a newver version. [Update Profile]" - which didn't work. I ultimately re-enrolled, but I could imagine it being a nightmare to re-enroll a large number of devices.

• Mac C++ tool verifying code signing cert / signature

  I have a command line tool I have code signed using the "codesign" tool.  Using its -vv option it verifies that my code is indeed signed.  Now here is my problem, it doesn't tell me who signed it, ie: The name on the cert and stuff like that.  To complicate matters even further, I wish to be able to do this from a C++ application.  I want to look at a binary file, see that it is signed, and signed by us.  As a security measure I would like to only allow our application to update if the new files are signed by us.  I am having trouble locating any API which deals with this.  On the windows world there is an obscure API that allows me to do this.  I do not even know if such and API system exists in the Apple world since code signing is brand new introduced in 10.5.
  In addition to some API help, if there is a way to simply get information about who signed an executable (On windows you just right-click and pick properties) and you can get all sorts of information about the digital signature);  Is there something like this on a Mac?
  Thanks for any help I can get.

  Why would I do that?  I simply want to know, is the binary file I downloaded signed by with MY cert?  I can determine this within reasonable doubt by answering two simple questions:
  1.  Is the cert that this file signed with valid (chain of trust and all that).
  2.  What is the name of the cert (the identity).
  If the Identity is the right one (in our case, the name of our company) and it is valid, then I will trust that this binary is ours.
  Maybe this will clarify my question. I guess I could rephrase this question as:
  "How do I write a simple tool that will verify a file has a valid signature and will give me the signer's identity"?

• Cannot renew code signing certificate - maybe bug with german Umlaut?

  Hello!
  Since one month I expierence a message that I should renew my code signing certificate and today I thought it is time to stop this message.
  Because I could not find anything about renewing the certificate in Mountain Lion I used the KB-article that discribes the process for Lion.
  http://support.apple.com/kb/HT5358
  after that I get this in at my terminal:
  sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate 'myserver.domain.de Signierungszertifikate für Code' 'IntermediateCA_MYSERVER.DOMAIN.DE_1' 7D3E2458
  when I press return I get this:
  /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin Cannot find the certificate: myserver.domain.de Signierungszertifikate für Code
  I checked it again and again - I cannot find any typo or something like that - so maybe Mountain Lion wants to renew the certificate in a different way or certadmin cannot cope with german "Umlaute" - "für" - in english for - but I did not gave this name it was given by the system when I setup the server one year ago.
  Every hint is welcome, bye
  Christoph

  I am stupid - I read the KB article again and there it says
  "When entering the hexadecimal serial number, ensure that all letters are entered in lower case."
  I retyped the command with lower case hex numbers and everything was fine
  Bye,
  Christoph

• Renew code signing certificate

  I just wonder if there is any article about code signing with renewed certificate.  My Thawte certificate will expire soon. Let's say I renew it now and get the new certificate. My air app can update itself automatically when newer version is found. My question is, will my air app (older version signed with the old certificate) update successfully to the newer version (signed w/ renewed certificate)?

  You should use Migration feature to connect both versions of app.
  You can read Oliver's blg here:
  http://blogs.adobe.com/simplicity/install-update/

• How to generate csr for third party code signing cert?

  I've been reading about code signing, but can't see how to generate a csr to use with a third party CA. Does someone have a tutorial, link, suggestion?

  Hi,
  Here is an document which discussed on how to implement code signing with using third party certificate for you reference:
  http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/best_practices.doc
  For further suggestions, it is recommend you to get further support in the MSDN Forum so that you can get the most qualified pool of respondents.
  http://social.msdn.microsoft.com/forums/en-US/categories/
  Thanks
  Tiger Li 
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Adobe Pro 11.0.10 patch has expired code signing cert

  I can not patch my Adobe 11.0.0 installation to 11.0.10 using the automated process.
  I manually downloaded 11.0.10 from this location: http://ardownload.adobe.com/pub/adobe/acrobat/win/11.x/11.0.10/misc/AcrobatUpd11010.msp
  The MD5 of this MSP per my own check is 4cb5979f49bc5112731da0cce036ac66, while the SHA1 is 8b4130df183f69ab77f9f6748f2e535be5d3336e.
  This download is signed with a code signing certificate issued by Symantec Class 3 Extended Validation Code Signing CA.  The signature has a thumbprint of 111aa9b0c6da43594bb2ad3052567c12ef8d9607.  This certificate expires later this year.
  During the install I receive an error because it extracts a file to c:\config.msi which is code signed with a code signing certificate issued by Verisign Class 3 Code Signing 2010 CA.  The certificate has a thumbprint of 70d566df844f3e2d9ac31e518256e7b6f2de9272.  The certificate expired 9/20/2013.  Today is 5/4/2015.  The install fails on this file.
  The certificate thumbprint for the Verisign Class 3 Code Signing 2010 CA intermediate authority is 495847a93187cfb8c71f840cb7b41497ad95c64f.   This itself is signed by VeriSign Class 3 Public Primary Certification Authority - G5 having a thumbprint of 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5.
  The failing file with the invalid code signing certificate has an MD5 checksum of bddf785233f9d2b3ae43d72822fb74bc and SHA1 of 78e7e15c8baea3c6befc7336d153254777912bd4.  This appears to be amtlib.dll which is part of Adobe AMT Licensing.   These hashes are available on services such as Virus Total and Herd Protect.
  Would it be possible for Adobe to release a 11.0.11 patch that has this issue fixed?  
  Thank you,
  Edwin Davidson.

  Back up all data.
  Launch the Font Book application and validate all fonts. You must select the fonts in order to validate them. See the built-in help and this support article for instructions. If Font Book finds any issues, resolve them.
  From the application's menu bar, select
  File ▹ Restore Standard Fonts...
  You'll be prompted to confirm, and then to enter your administrator login password.
  Start up in safe mode to rebuild the font caches. Restart as usual and test.
  Note: If FileVault is enabled, or if a firmware password is set, or if the startup volume is a Fusion Drive or a software RAID, you can’t start in safe mode. In that case, ask for instructions.
  Also note that if you deactivate or remove any built-in fonts, for instance by using a third-party font manager, the system may become unstable.

• JWS gives 'failed to parse certificate' error for VALID code sign cert

  Hi,
  For my application, After downloading jar files from web server, JWS (1.2.0_02) gives a Security Warning asking user to trust the Signer.
  However, after clicking Start, it gives another Security Warning which says this:
  Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.
  STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
  Sign App jar files with a VALID code signing certificate from Thawte or Verisign (don't use DST or RSA or any other CA as JWS supports only Versign/Thawte root CA entries by default).
  Download the app using JNLP, and you will see this warning.
  EXPECTED -
  It should not give the second security warning. First one is fine as user has to trust the signer.
  There are no logs anywhere to find out what error it encountered parsing the certificate.
  The certificate as such is valid, it was verified with keytool, openSSL and various other tools.
  ACTUAL -
  After downloading an application from web server, JWS gives a Security Warning asking user to trust the Signer.
  However, after clicking Start, it gives another Security Warning which says this:
  Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.
  ERROR MESSAGES/STACK TRACES THAT OCCUR :
  Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.

  Hello,
  I had the same problem. Here are some additional things to check:
  - every jar in your app MUST be signed by ONE and ONLY ONE certificate.
  - every jar which is presigned should be checked on its own. I had a bad bcprov.jar which nearly drove me nuts. Maybe there are more such 'presigned' jars around.
  One recipe aside:
  Try halfing down the jars in your jnlp file further and further, until it runs again, then you'll probably find the jar which causes this. I would bet a specific jar.
  There's another Bug already known which makes JWS fail on checking the certs on jars with classes which have national characters (even Inner ones!). So you might be checking that, too.
  Hope that helps...
  Patric

• Renew code signing certificate mountain lion server

  Hello to all
  Can you please let me know if there is a way to renew the self code signing certificate for server WITHOUT re enroll all devices?
  We have 500 iPads enrolled and the code signing certificate expires in 2 weeks...
  So it's really critical not to re enroll all devices .
  Is there any way to do this?
  Thank you for you help.

  When I put this in I am just getting the following response
  Usage: certadmin
      --get-private-key-passphrase [path]    
        Retrieve the passphrase for the private key at [path] from the keychain
      --default-certificate-path
        Retrieve the full path for the default certificate
      --default-certificate-authority-chain-path
        Retrieve the full path for the default certificate authority chain
      --default-private-key-path
        Retrieve the full path for the default private key
      --default-concatenation-path
        Retrieve the full path for the default certificate + private key concatenation
      --create-default-self-signed-identity
        Creates a default self signed identity (certificate + private key) using the hostname
      --recreate-self-signed-certificate subject serial_number
        Recreate an existing self signed certificate
      --recreate-CA-signed-certificate subject issuer serial_number
        Recreate an existing certificate signed by an OpenDirectory CA
  where you have "192173c1c is this meant to be the serial number?