Code-signing Certificate Renew issue

Similar Messages

• Code Signing Certificate Renewal for Profile Manager

  Currently we have around 800 ipods/iphones around the globe that were all enrolled into our Profile Manager in the past year.  In one month our Code Signing Certificate will expire on ALL of those devices.  I have updated the certificate on our Profile Manager server and installed that into the Profile Manager.
  How do I update all of the devices in the field with the new certificate?  It is not possible for every one of those devices to be re-enrolled.  These are systems that we give to our customers to use for a specific purpose and they have no clue how to do anything with the MDM or the profile manager.  Apple - this wasn't well thought out...

  After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.
  Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already. 
  Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap.  (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)
  If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.
  {FWIW, this is a user forum and the folks from Apple may or may not see your report.  If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

• Symantec code signing certificate

  Hi,
  I have 2 registred domain
  1.abc.com
  2.abc.co.in
  Both the domains are verified in my Intune portal . Now I  have plan enrol winodows mobile ,
  can i need pruchease 2 symantec code signing certificate or 1 certificate is enough ??

  Code Signing Certificate is issued to Company and it can be used on any application.
  So you only need to purchase 1 code signing certificate.

• Adobe code signing certificate revocation and SCCM

  We have many install packages for different Adobe products in SCCM 2007 but nothing that would have been obtained or downloaded from Adobe since July 10, 2012.  Does that mean we don’t have to do anything?  Is that a correct interpretation of your statements about the Adobe code signing certificate revocation issue?

  Yes.  That's correct.

• Renew code signing certificate mountain lion server

  Hello to all
  Can you please let me know if there is a way to renew the self code signing certificate for server WITHOUT re enroll all devices?
  We have 500 iPads enrolled and the code signing certificate expires in 2 weeks...
  So it's really critical not to re enroll all devices .
  Is there any way to do this?
  Thank you for you help.

  When I put this in I am just getting the following response
  Usage: certadmin
      --get-private-key-passphrase [path]    
        Retrieve the passphrase for the private key at [path] from the keychain
      --default-certificate-path
        Retrieve the full path for the default certificate
      --default-certificate-authority-chain-path
        Retrieve the full path for the default certificate authority chain
      --default-private-key-path
        Retrieve the full path for the default private key
      --default-concatenation-path
        Retrieve the full path for the default certificate + private key concatenation
      --create-default-self-signed-identity
        Creates a default self signed identity (certificate + private key) using the hostname
      --recreate-self-signed-certificate subject serial_number
        Recreate an existing self signed certificate
      --recreate-CA-signed-certificate subject issuer serial_number
        Recreate an existing certificate signed by an OpenDirectory CA
  where you have "192173c1c is this meant to be the serial number?

• Adobe AIR 3 Performance Issues and Code Signing Certificate Problem

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

• Renew my code sign certificate?

  I run a Mavericks server that serves profile manager, file, and time machine services. My code sign cert expires in a couple weeks. When you go into Server.app > Certificates and double click on it, there isn't a "Renew" button like there is for other certs I've renewed.
  How would I renew this? And what impact would it have on my running services (ie. would I have to re-enroll everyone in profile manager)? Thank you.

  Does OS X Server: Renewing Profile Manager's code signing certificate - Apple Support help?

• Cannot renew code signing certificate - maybe bug with german Umlaut?

  Hello!
  Since one month I expierence a message that I should renew my code signing certificate and today I thought it is time to stop this message.
  Because I could not find anything about renewing the certificate in Mountain Lion I used the KB-article that discribes the process for Lion.
  http://support.apple.com/kb/HT5358
  after that I get this in at my terminal:
  sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate 'myserver.domain.de Signierungszertifikate für Code' 'IntermediateCA_MYSERVER.DOMAIN.DE_1' 7D3E2458
  when I press return I get this:
  /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin Cannot find the certificate: myserver.domain.de Signierungszertifikate für Code
  I checked it again and again - I cannot find any typo or something like that - so maybe Mountain Lion wants to renew the certificate in a different way or certadmin cannot cope with german "Umlaute" - "für" - in english for - but I did not gave this name it was given by the system when I setup the server one year ago.
  Every hint is welcome, bye
  Christoph

  I am stupid - I read the KB article again and there it says
  "When entering the hexadecimal serial number, ensure that all letters are entered in lower case."
  I retyped the command with lower case hex numbers and everything was fine
  Bye,
  Christoph

• Renew code signing certificate

  I just wonder if there is any article about code signing with renewed certificate.  My Thawte certificate will expire soon. Let's say I renew it now and get the new certificate. My air app can update itself automatically when newer version is found. My question is, will my air app (older version signed with the old certificate) update successfully to the newer version (signed w/ renewed certificate)?

  You should use Migration feature to connect both versions of app.
  You can read Oliver's blg here:
  http://blogs.adobe.com/simplicity/install-update/

• Code Signing certificate expired

  Hello,
  I please need an information about SGDEE 4.1 login applet: it seems
  applet code signing certificate was expired on September 2, 2005.
  I have no problem (after I deleted all expired root certificates from
  local client repository) with Internet Explorer 6SP1, but Mozilla Firefox
  always prompt me a warning with this contents:
  Serial:     
  [62374265099632433790334794162326322759]
  Issuer:
  N=VeriSign Class 3 Code Signing 2001 CA,
  OU=Terms of use at https://www.verisign.com/rpa (c)01,
  OU=VeriSign Trust Network,
  O="VeriSign, Inc."
  Valid From: Wed Sep 01 02:00:00 CEST 2004,
  To: Fri Sep 02 01:59:59 CEST 2005
  Subject:
  CN="Tarantella, Inc.",
  OU=Digital ID Class 3 - Netscape Object Signing,
  O="Tarantella, Inc.",
  L=Santa Cruz,
  ST=California,
  C=US
  Thank you very much in advance,
  Best Regards,
  Valerio Morozzo

  I know this is an older post, but it helped me find out how to make the migration procedure for native installer. I tried it with self signed certificate created by ADT tool and everything went fine.
  But now, we obtained a commercial AIR signing certificate from Thawte and the process failes in step 3) ADT saying
  'Certificate in PATH_TO_P12 could not be used to sign setup.msi' on Windows.
  On mac, it says that signing native installer on OSX is not supported, so I skipped the signing option in step 3) and it worked fine.
  I can skip the signing option on Windows as well and the process succeeds, but running the installer on machines with previous versions of application results in "Installer mis-configured' error message - the same error as if the migration process was not applied.
  I already contacted Thawte if it is a certificate issue, reply from them was 'AIR certificate can only sign .air applications'. But when I build a native application directly from FlashBuilder and sign it with the Thawte certificate the whole process seem to succeed. The application can be installed on machines without previous version of the application. Those who already have the older version get the 'Installer mis-configured' error message.
  I want to mark out again, that the same process but with a self signed certificate created with ADT, is successfull and the application can be installer as an update on machines with older version of the app. So I assume the workflow is correct.
  Any ideas? Or somebody having the same issue?
  Thanks

• A PKI Code Signing Certificate question.

  Hello,
  Can someone please help me with the following question.
  I have created and used a code Signing certificate from our Microsoft Enterprise CA before which works OK, but I am not sure I did it correctly, and have a few related questions please.
  what I did.
  1: Logged on the CA directly, went to the CertSvc web site, requested a code signing cert, issued it and exported it along with the private key.
  2: Imported the above certificate into CurrentUser/My store on PC and used it to sign code
  3: Took the came certificate (along with the private key, and this is where perhaps I made at least one mistake) and imported it into the 'Trusted Publishers' store the PC that will be running the signed code. This step was done so the user does not receive
  a message asking if they want to run the code signed by "AAnotherUser" as it were, as although the code is signed by a trusted CA, the user still gets this warning message as the 'Publisher' is not in the 'Trusted Publishers' list. Therefore the
  way I sorted this at the time was to take the whole certificate as above and import to this store.
  The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store? in other words should I have imported the certificate 'minus its
  private key' into the trusted publishers store?
  Also, I understand you have to have the certificate along with is private key to sign code. I am 'assuming' a Hash of the code is taken and this is signed (encrypted) with the private key (in the same way a CA signs a CSR for a WEBServer cert for example),
  is that correct i.e. is that what it mean to sign code?
  if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same value.
  Is this correct?
  My next question is regarding the private key. As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
  if the above is possible (which would make good sense to me I think) then I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me. It would also mean which every computer I logon to in the domain I would
  have access to the private key (but no other user) and therefore be able to sign code I assume. Does this last paragraph make sense can this be done/is this done?
  Basically I need to understand the above, in order to understand more about Crypto.
  I also need create a code signing cert for a 'department' of about 10 people. Therefore I was thinking about creating and AD account called 'XYZCorpCodeSigning' or what ever, and issuing a code singing cert to this entity. If the private key could be stored
  in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure, I think.
  I know there are several question above, but it would be great it they would be answered as I would help me understand more about how it all works and to solve a problem too
  Thanks very much
  AAnotherUser__
  AAnotherUser__

  > The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store
  yes, it is not correct. Only public part should be imported to a Trusted Publishers container.
  >  is that correct i.e. is that what it mean to sign code
  exactly. Encryption with private key and decrypting with public key is called "digital signature".
  > if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same
  value. Is this correct?
  yes. Client uses only public part of the certificate to validate the signature.
  > As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
  normally code signing certificates are not stored in Active Directory and should not be there, because signing certificate is included in the signature field.
  > I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me.
  this is wrong assumption. A user is responsible to protect signing private key from unauthorized use.
  > If the private key could be stored in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure
  wouldn't, because if something happens -- you will never know who compromised the key.
  as a general practice, we recommend to purchase at least few smart cards to store signing keys. Depending on a particular code development practice, there might be a dedicated employee (for example, manager of devs) who the only has access to a smart card
  (and PIN) and signs the code upon dev request. Or issue a dedicated smart card with unique signing certificate to each developer. However this will add a complexity in signing certificate trust management.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Thawte code signing certificate problem

  Hi everyone!
  I wonder if someone here could help me out a little bit?
  I just received a code signing certificate from Thawte, but nobody mentioned that I should have enrolled it with Firefox (I have mac). So I used my default browser Safari. And now I can´t find any instructions how to change that certificate to a file that I can use in my Flex 3 when I export an AIR installer. All the instructions tell me to use Firefox, but it´s too late. I have to use same browser I have used earlier.
  I send this answer to Thawte too, but I´m not sure when they answer...

  Well, yes, apparently Keychain Access doesn't let you export the entire certificate chain.
  See http://forums.adobe.com/thread/234000 for a post on essentially the same issue.
  I haven't tried it, but maybe you can import the certificate into Firefox and then re-exported it with the entire certificate chain. Or do the same with the Java keytool utility. You could also set the ADT command line parameters to access the Mac Keychain directly, but then you couldn't use the built-in Flash/Flex Builder export. Those are the only options I can think of if you can't get help from Thawte.

• Applocker and expired code signing certificates

  Is it possible to allow applocker to use expired code signing certificates for old applications ? 
  Thanks, Magnus
  Magnus

  Hi Magnus,
  >>Is it possible to allow applocker to use expired code signing certificates for old applications ? 
  As far as I know, we should be unable to do this. If a certificate is expired, it is no longer considered an acceptable or usable credential.
  Regarding this question, the following thread can be referred to as reference.
  AppLocker Issue in Windows 7
  https://social.technet.microsoft.com/Forums/windows/en-US/2c78848d-2601-40d2-99c0-9b5c23b735e4/applocker-issue-in-windows-7?forum=w7itprosecurity
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• NSUserDefaults stopped working after installing code sign certificates (?)

  The following code has worked fine in the iPhone simulator.
  NSUserDefaults *userDefaults = [NSUserDefaults standardUserDefaults];
  myFloat = [userDefaults floatForKey:@"myFloat"];
  myString = [userDefaults stringForKey:@"myString"];
  Today I installed the code signing certificates and all the updates necessary to deploy my code to a device. That part works fine, and I'm able to install and run my apps on the iPhone device.
  The problem is that the above code has stopped working. myFloat is now always 0.0 and myString is now always nil. If I go into the Settings app, my preferences UI is still there and I can change and persist the preference values. But my app no longer sees those values.
  I'm assuming this broke because of the changes related to code signing and device deployment, but I'm not sure since there is no way (?) to roll back those changes.
  Has anyone else encountered this problem?
  Thanks,
  Nick

  I have the same issue with SDK Beta 7, I can't get my preferences to persist (although in my case I'm not using the Settings app to alter settings). This is what I am doing:
  +(void) initialize
  NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
  NSDictionary *appDefaults = [NSDictionary dictionaryWithObject:@"YES" forKey:@"SomeValue"];
  [defaults registerDefaults:appDefaults];
  in initwithFrame:
  if ([[NSUserDefaults standardUserDefaults] boolForKey:@"SomeValue"]) {
  [[NSUserDefaults standardUserDefaults] setObject:@"NO" forKey:@"SomeValue"];
  } else {
  [[NSUserDefaults standardUserDefaults] setObject:@"YES" forKey:@"SomeValue"];
  and I synchronize in applicationWillTerminate. Settings just don't persist.

• Using code signing certificate results in classnotfoundexception

  We are running a certificate authority on windows 2012. Our programming section developed a java application on linux and wanted to code sign it. They created a csr and sent it to me. I created a duplicate of the built in code signing template and used it
  to create a code signing certificate, which I sent back to the programmer. He used the certificate to sign the application jar file, and everything seemed ok. But when we try running the application we get a 'classnotfoundexception' for the main class of the
  program. Just to be sure it was not a fluke I wrote a small test applet and went through the same procedure of creating a csr, creating the certificate, and code signing the jar file, and ended up getting the same exact error.
  The programmer tried creating a self signed certificate on linux and using that to code sign the jar file, and the program runs successfully. Of course there is a warning that the certificate is untrusted, which is why we ant to use the windows created certificate
  to sign the application since the root certificate in on everyone's computer.
  Is there anything special needed to be done to get  the windows created certificate to successfully sign a java application?

  Hi David, did you ever get it to work signing the applet with an Active Directory Certificate Services certificate?
  We are exeperiencing the same issue.  The odd thing is that after we get the ClassNotFoundException error, we click on the error and then click reload and then it loads fine.  At this point we are probably going to try purchasing a certificate
  to see if ADCS was the problem.  Curious to see if you had any luck.  Thanks.