Cannot renew code signing certificate - maybe bug with german Umlaut?

Hello!
Since one month I expierence a message that I should renew my code signing certificate and today I thought it is time to stop this message.
Because I could not find anything about renewing the certificate in Mountain Lion I used the KB-article that discribes the process for Lion.
http://support.apple.com/kb/HT5358
after that I get this in at my terminal:
sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate 'myserver.domain.de Signierungszertifikate für Code' 'IntermediateCA_MYSERVER.DOMAIN.DE_1' 7D3E2458
when I press return I get this:
/Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin Cannot find the certificate: myserver.domain.de Signierungszertifikate für Code
I checked it again and again - I cannot find any typo or something like that - so maybe Mountain Lion wants to renew the certificate in a different way or certadmin cannot cope with german "Umlaute" - "für" - in english for - but I did not gave this name it was given by the system when I setup the server one year ago.
Every hint is welcome, bye
Christoph

I am stupid - I read the KB article again and there it says
"When entering the hexadecimal serial number, ensure that all letters are entered in lower case."
I retyped the command with lower case hex numbers and everything was fine
Bye,
Christoph

Similar Messages

  • Renew code signing certificate mountain lion server

    Hello to all
    Can you please let me know if there is a way to renew the self code signing certificate for server WITHOUT re enroll all devices?
    We have 500 iPads enrolled and the code signing certificate expires in 2 weeks...
    So it's really critical not to re enroll all devices .
    Is there any way to do this?
    Thank you for you help.

    When I put this in I am just getting the following response
    Usage: certadmin
        --get-private-key-passphrase [path]    
          Retrieve the passphrase for the private key at [path] from the keychain
        --default-certificate-path
          Retrieve the full path for the default certificate
        --default-certificate-authority-chain-path
          Retrieve the full path for the default certificate authority chain
        --default-private-key-path
          Retrieve the full path for the default private key
        --default-concatenation-path
          Retrieve the full path for the default certificate + private key concatenation
        --create-default-self-signed-identity
          Creates a default self signed identity (certificate + private key) using the hostname
        --recreate-self-signed-certificate subject serial_number
          Recreate an existing self signed certificate
        --recreate-CA-signed-certificate subject issuer serial_number
          Recreate an existing certificate signed by an OpenDirectory CA
    where you have "192173c1c is this meant to be the serial number?

  • Renew code signing certificate

    I just wonder if there is any article about code signing with renewed certificate.  My Thawte certificate will expire soon. Let's say I renew it now and get the new certificate. My air app can update itself automatically when newer version is found. My question is, will my air app (older version signed with the old certificate) update successfully to the newer version (signed w/ renewed certificate)?

    You should use Migration feature to connect both versions of app.
    You can read Oliver's blg here:
    http://blogs.adobe.com/simplicity/install-update/

  • Keychains bug with german umlaut

    Recently i found a strange behavior within keychains. If the name of a keychain contains a german umlaut e.g "geschäftlich" i'm not able to activate sync keychain with .mac. i set the marker at "sync keychain with .mac" and click save. When i open the keychain settings again the dotmac setting is again NOT enabled and the keychains don't get synced.
    If i make a new keychain "geschaeftlich" which contains the same items as "geschäftlich" everything works fine.
    As far as i remember keychains worked with "umlaute" until at least 10.5.2

    Probably one of many issues with the transition to MobileMe. I'd file a bug.

  • Missing Code Signing Certificate in Profile Manager

    Hi everyone,
    Firstly, I'm not a professional and managing a server isn't in my skill set.  I have an old Mac mini running the Mavericks server to dabble with.
    Recently, the code-signing certificate (I assume self-signed) disappeared from Profile Manager for the option to "Sign configuration profiles" – no idea why, and I'm struggling to get it back, it just doesn't appear in the drop down.
    Under "Certificates" in Server.app, and within Keychain Access; it's still in the system and can be seen, where there are two of them.
    I've tried renewing both of these through Server.app to see if that would be a quick fix, but nothing.
    Could someone advise me on how to create a new verified code signing certificate for use with profile manager?
    Kind regards,
    Jamie

    Tried again.  Destroyed OD and recreated – code signing appears.  Reboot machine, code signing disappears.
    I tried exporting out the Code Signing Cert before rebooting the machine and reimporting after it disappears only to get "This profile cannot be used to sign profiles".
    Any idea what could be breaking the code-signing on reboot? Really bizarre.

  • Document signing requires code signing certificate

    Prior to applying update 11.0.9 we could use more certificates to sign Reader Document.  Now only Code signing certificates or ones with All Purposes work.
    Our users do not have Code Signing certificates or ones with all purposes.
    What changed?  And how do I get my original certifcates working again for signing?

    Hello Jeff,
    The behavior change you've noticed with your certificates in version 11.0.9 is not a bug.
    In version 11.0.9, Adobe introduced changes in the way digital certificates are filtered for signing.
    The changes were made in order to align certificate use more closely with the spec, RFC 5280.
    Starting in version 11.0.9, Acrobat/Reader filter off of the extended key usage (EKU) extensions in addition to the Key Usage (KU) extensions.
    The certificate you mention with the EKU extension OID (1.3.6.1.4.1.311.10.3.12) is purposely filtered out.
    Starting in version 11.0.9, certificates that are available for signing must have a Key Usage extension of digitalSignature or nonRepudiation. Or no KU extension.
    If an EKU extension is present, it must have a value of emailProtection or codeSigning or anyExtendedKeyUsage (OID 2.5.29.37.0).
    These changes are not present in the current release of Acrobat/Reader X 10.1.12.
    Documentation on this topic is not yet available.
    Regards,
    Charlene

  • Code-signing Certificate Provider for Mavericks Server?

    Our Digicert Code Signing Certificate [which worked fine in Mountain Lion Server but doesn't work in Mavericks Server no matter what I try] is about to expire, and I'm wondering if anyone could recommend a vendor whose code-signing certificates definitely work with Mavericks Server?

    I have just created a self-signed code-signing certificate, I used XCA to generate it which is a front-end for openssl. Obviously being generated from a self-signed rootCA it is not going to be trusted by the outside world but it is good enough for an internal Profile Manager setup since the enrollment process will automatically trust your own self-signed rootCA.
    Anyway, when trying to install it I did come across a gotcha which might help you and others here. I found that if I imported the certificate in to Keychain Access e.g. by double-clicking on it, then Server.app did not list it as an available certificate for Profile Manager code-signing. However if instead I used the option in Server.app under Profile Manager to import the code-signing certificate it was accepted.
    In theory importing via Keychain Access should work as well but it did not, so if you have been doing it that way try importing via Server.app instead.
    If you have already imported it via Keychain Access just delete it from your Keychain and try again.
    With regards to the suggestion from ajm_from_WA for buying one from www.ssls.com I could not find any code-signing certificates listed on their website. These are different to ordinary website certificates.

  • Code-signing Certificate Renew issue

    We recently renewed our Verisign code-signing certificate, only to discover that it breaks the auto-update process with the notorious error "This application cannot be installed because this installer has been mis-configured." We were able to make it work by using the ADT -migrate command. That is all well and wonderful. But there are two issues I see. First, there is a 180 day cut-off, beyond which users can no longer be updated. Then, when our certificate gets renewed again next year we might be stuck in a situation where we have to choose which users get to be updated and which are orphaned and are forced to uninstall/re-install.
    Furthermore, how much of this pain we have to live with becomes a function of how long a certificate we are willing to pay for. If we're a small company forking out the money for a 3 year certificate might be kind of painful. Why should this be a factor? Why is it not straight-forward to renew the same certificate and have installations back to the beginning of time be alright with it?
    It could be there is something about the renewal process that is not right. However, when I renewed my Verisign cert their process pretty much forced me to keep everything about the renewed cert the same as the original, otherwise it would not be a 'renewal'.
    If there is an arcane trick we are missing I would be most appreciate to know what it is. This should not be this difficult.
    Thanks
    Kevin

    Hi Kevin,
    I've asked around and learned that the process as you describe is "as designed".  However, there are stratigies for minimizing the downsides.
    For more information, please see the following documents:
    AIR 2.6 Extended Migration Signature Grace Periods
    Update Strategies for Changing Certificates
    Update Your Applications Regularly
    Code Singing in Adobe AIR
    Hope this helps,
    Chris

  • Renew my code sign certificate?

    I run a Mavericks server that serves profile manager, file, and time machine services. My code sign cert expires in a couple weeks. When you go into Server.app > Certificates and double click on it, there isn't a "Renew" button like there is for other certs I've renewed.
    How would I renew this? And what impact would it have on my running services (ie. would I have to re-enroll everyone in profile manager)? Thank you.

    Does OS X Server: Renewing Profile Manager's code signing certificate - Apple Support help?

  • Signing a package with .pfx code signing certificate

    Hi,
    I've got a code signing certificate (.pfx) from GlobalSign and tried to sign my extension package.
    I used the ZXPSignCmd tool and got the following response:
    Unable to build a valid certificate chain. Please make sure that all certificates are included in the certificate file.
    The necessary certificate chain is installed on my system (Windows 7):
    My code signing certificate,
    the certificate from GlobalSign the signed my certificate
    and the GlobalSign root certificate that signed it.
    The OpenSSL info output for the certificate looks fine too:
    MAC Iteration 2000
    MAC verified OK
    PKCS7 Data
    Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
    PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
    Certificate bag
    Certificate bag
    Certificate bag
    On the other hand signing other files with the Windows SDK Signtool works and results in a correct certificate chain (visible in the file's details).
    Any idea what I might be doing wrong?
    Regards
    Philipp

    Hi Philipp,
    No, it doesn't matter - using Certificate Manager should also have worked.
    I don't think the issue is that the wrong root certificate has been chosen, otherwise we'd be seeing a different error. In the PEM file you exported, I would expect to see several certificate sections, each starting with BEGIN CERTIFICATE and ending with END CERTIFICATE. Just above each certificate's "BEGIN CERTIFICATE" line should be "subject" and "issuer" - the last certificate (at the bottom of the PEM file), should have your personal certificate name as the subject. Then, working upwards, each certificate should have an "issuer" which matches the "subject" of the certificate above it.
    The first certificate in the PEM file should have the same value for "subject" and "issuer" - identifying the certificate authority's root certificate.
    Also in the PEM file I'd expect to see a section "BEGIN RSA PRIVATE KEY"...."END RSA PRIVATE KEY".
    Does this all match what you're seeing?
    Assuming your PEM file looks OK, you could try using OpenSSL to convert it to PKCS12 format, using the command:
    openssl pkcs12 –export –in my_pem_file.pem –out my_pkcs12_file.p12
    Also, please ensure that you're using only ASCII characters in your P12 password, just in case that's causing problems.
    Best regards,
    Fraser

  • Code Signing Certificate Renewal for Profile Manager

    Currently we have around 800 ipods/iphones around the globe that were all enrolled into our Profile Manager in the past year.  In one month our Code Signing Certificate will expire on ALL of those devices.  I have updated the certificate on our Profile Manager server and installed that into the Profile Manager.
    How do I update all of the devices in the field with the new certificate?  It is not possible for every one of those devices to be re-enrolled.  These are systems that we give to our customers to use for a specific purpose and they have no clue how to do anything with the MDM or the profile manager.  Apple - this wasn't well thought out...

    After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.
    Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already. 
    Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap.  (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)
    If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.
    {FWIW, this is a user forum and the folks from Apple may or may not see your report.  If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

  • Thawte code signing certificate problem

    Hi everyone!
    I wonder if someone here could help me out a little bit?
    I just received a code signing certificate from Thawte, but nobody mentioned that I should have enrolled it with Firefox (I have mac). So I used my default browser Safari. And now I can´t find any instructions how to change that certificate to a file that I can use in my Flex 3 when I export an AIR installer. All the instructions tell me to use Firefox, but it´s too late. I have to use same browser I have used earlier.
    I send this answer to Thawte too, but I´m not sure when they answer...

    Well, yes, apparently Keychain Access doesn't let you export the entire certificate chain.
    See http://forums.adobe.com/thread/234000 for a post on essentially the same issue.
    I haven't tried it, but maybe you can import the certificate into Firefox and then re-exported it with the entire certificate chain. Or do the same with the Java keytool utility. You could also set the ADT command line parameters to access the Mac Keychain directly, but then you couldn't use the built-in Flash/Flex Builder export. Those are the only options I can think of if you can't get help from Thawte.

  • Configuration Profile Code-Signing Certificates

    Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.
    I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.
    How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

    You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.
    ** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.
    ** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

  • "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.]" for brand new, vanilla Mac App

    In OS X Maverick's XCode, I created a brand new Mac > "Cocoa Application", with Core Data and Spotlight Importerl; about as vanilla a Cocoa application I could muster. 
    Under Preferences > Accounts, I signed in to my Mac Developer Account.
    In Targets > Identity, I set Signing to "Mac App Store", and was able to select my Mac Developer Account for "Team".
    I then went to Product > Clean, and then Product > Build for... > Running, and then Produt > Archive.
    In the Organizer, I select the resulting .app and click "Validate", and hit the Mac App Store radio, and hit "Next", and it's able to log into my Mac Developer Account.
    I select my Provisioning Profile in the dropdown, and click "Validate".
    It comes back with several errors:
    1 - "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.] For more information, visit the Mac OS Developer Portal."
    2 - "The bundle identifier cannot be changed from the current value, '{DIFFERENT-BUNDLE-FROM-OTHER-PROJECT}'.  If you want to change your bundle identifier, you will need to create a new application in iTunes Connect.
    3 - Invalid Code Signing Entitlements.  The entitlements in your app bundle signature do not match the ones that are contained in the provision profile.  The bundle contains a key that is not included in the provisioning profile: 'com.apple.applications-identifier' in '{BUNDLENAME}.app/Contents/MacOS/{BUNDLENAME}'
    I was able to do the same process before, for a vanilla app, before Mavericks.  I'm not sure if this is a Mavericks error, or a fact that now I have multiple app projects.  Particularly odd is that DIFFERENT-BUNDLE-FROM-OTHER-PROJECT in error (2) is not the same bundle name as the current project's bundle.
    Would love any help you can provide!  Thank you!

    Seen this thread?
    New codesign behavior, --deep option 
    "Code signing has some interesting changes in Mavericks (that apparently haven't made it into the release notes yet...). Note that this is a change to the operating system, not to the devtools."

  • How to use Java code signing certificate in oracle 11i

    Hello,
    I am try to configure java code signing certificate in 11.5.10.2 application. we got java sign certificate from verisgin. SA's imported the certificate and created alias XXX_XXX with password and passphrase.
    I am able to see the my certificate. keytool -list -v -keystore xxx_xxxx.jks -storepass Password.
    how do I use it. I am using Enhance Jar Signing for EBS DOC ID 1591073.1.
    could you please give me some advice on it?
    Thanks
    Prince

    Hussien,
    I find out apps keystore keypassword and storepassword, I imported the java code sign certificate. I generated Jar files through adadmin, but I am getting  warning error
    adogif() unable to generate Jar Filers under JAVA_TOP.
    executing /usr/jdk/jdk1.6.0_45/bin/java sun.security.tools.JarSigner keysotre **** -sigfile CUST Signer /apps/......
    Error JarSigner subcommand Exited With status 1.
    No standard output from jarsigner JarSigner error output: Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/tools/JarSigner Caused by: java.lang.ClassNotFoundException: sun.security.tools.JarSigner         at java.net.URLClassLoader$1.run(URLClassLoader.java:202)         at java.security.AccessController.doPrivileged(Native Method)         at java.net.URLClassLoader.findClass(URLClassLoader.java:190)         at java.lang.ClassLoader.loadClass(ClassLoader.java:306)         at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)         at java.lang.ClassLoader.loadClass(ClassLoader.java:247) Could not find the main class: sun.security.tools.JarSigner.  Program will exit. WARNING: The following path(s), defined in /apps2/property/product/tst/appl/cz/11.5.0/java/make/czjar.dep as elements of the output:   oracle/apps/cz/runtime/tag WARNING: Copying cztag.lst from the old fndlist.jar ...   About to Analyze flmkbn.jar : Fri Nov 22 2013 10:45:51
    Please let me know if you have any idea. Thanks Prince

Maybe you are looking for