Lion Server: Why is our Code Sign Certificate not accepted ?

Similar Messages

• Configuration Profile Code-Signing Certificates

  Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.
  I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.
  How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

  You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.
  ** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.
  ** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

• Code Signing Certificate Renewal for Profile Manager

  Currently we have around 800 ipods/iphones around the globe that were all enrolled into our Profile Manager in the past year.  In one month our Code Signing Certificate will expire on ALL of those devices.  I have updated the certificate on our Profile Manager server and installed that into the Profile Manager.
  How do I update all of the devices in the field with the new certificate?  It is not possible for every one of those devices to be re-enrolled.  These are systems that we give to our customers to use for a specific purpose and they have no clue how to do anything with the MDM or the profile manager.  Apple - this wasn't well thought out...

  After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.
  Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already. 
  Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap.  (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)
  If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.
  {FWIW, this is a user forum and the folks from Apple may or may not see your report.  If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

• Renew code signing certificate mountain lion server

  Hello to all
  Can you please let me know if there is a way to renew the self code signing certificate for server WITHOUT re enroll all devices?
  We have 500 iPads enrolled and the code signing certificate expires in 2 weeks...
  So it's really critical not to re enroll all devices .
  Is there any way to do this?
  Thank you for you help.

  When I put this in I am just getting the following response
  Usage: certadmin
      --get-private-key-passphrase [path]    
        Retrieve the passphrase for the private key at [path] from the keychain
      --default-certificate-path
        Retrieve the full path for the default certificate
      --default-certificate-authority-chain-path
        Retrieve the full path for the default certificate authority chain
      --default-private-key-path
        Retrieve the full path for the default private key
      --default-concatenation-path
        Retrieve the full path for the default certificate + private key concatenation
      --create-default-self-signed-identity
        Creates a default self signed identity (certificate + private key) using the hostname
      --recreate-self-signed-certificate subject serial_number
        Recreate an existing self signed certificate
      --recreate-CA-signed-certificate subject issuer serial_number
        Recreate an existing certificate signed by an OpenDirectory CA
  where you have "192173c1c is this meant to be the serial number?

• Code-signing Certificate Provider for Mavericks Server?

  Our Digicert Code Signing Certificate [which worked fine in Mountain Lion Server but doesn't work in Mavericks Server no matter what I try] is about to expire, and I'm wondering if anyone could recommend a vendor whose code-signing certificates definitely work with Mavericks Server?

  I have just created a self-signed code-signing certificate, I used XCA to generate it which is a front-end for openssl. Obviously being generated from a self-signed rootCA it is not going to be trusted by the outside world but it is good enough for an internal Profile Manager setup since the enrollment process will automatically trust your own self-signed rootCA.
  Anyway, when trying to install it I did come across a gotcha which might help you and others here. I found that if I imported the certificate in to Keychain Access e.g. by double-clicking on it, then Server.app did not list it as an available certificate for Profile Manager code-signing. However if instead I used the option in Server.app under Profile Manager to import the code-signing certificate it was accepted.
  In theory importing via Keychain Access should work as well but it did not, so if you have been doing it that way try importing via Server.app instead.
  If you have already imported it via Keychain Access just delete it from your Keychain and try again.
  With regards to the suggestion from ajm_from_WA for buying one from www.ssls.com I could not find any code-signing certificates listed on their website. These are different to ordinary website certificates.

• Profile Manager - no code signing certificate?

  I'm starting with a clean install of Lion Server. DNS is on an Xserve running Leopard Server.
  - CA signed certificates in place
  - DNS working fine
  - I create an OD Master (I've done this through Server.app, Server Admin and from hitting the "configure" button in Profile Manger, which triggers building an OD Master), and when the OD Master is built, an OD-based CA is created along with an OD-based intermediate certificate, but (and this is my problem), the OD-based code signing certificate is never produced, thus I don't have a code signing certificate to select when trying to enable "sign configuration profiles"?
  This is driving me insane. Anyone know why the code signing certificate isn't being generated?
  Thanks,
  Kristin.

  I'm starting with a clean install of Lion Server. DNS is on an Xserve running Leopard Server.
  - CA signed certificates in place
  - DNS working fine
  - I create an OD Master (I've done this through Server.app, Server Admin and from hitting the "configure" button in Profile Manger, which triggers building an OD Master), and when the OD Master is built, an OD-based CA is created along with an OD-based intermediate certificate, but (and this is my problem), the OD-based code signing certificate is never produced, thus I don't have a code signing certificate to select when trying to enable "sign configuration profiles"?
  This is driving me insane. Anyone know why the code signing certificate isn't being generated?
  Thanks,
  Kristin.

• Differences between SSL and Code-Signing Certificates

  Hello,
  I unsuccessfully tried to use a SSL - certificate for signing an applet (converting from X.509 to PKCS12 prior to signing) and learned, that SSL certificates and code-signing certificates are different things (after seeking the web for ours). Can somebody point out some source of information about this topic ? What are these differences ? Can I convert my SSL certificate into a code-signing certificate ?
  Things got even more confusing for me, since my first attempt with an wrongly converted SSL cetificate (I used my public and private key for conversion only, omitting the complete chain) at least worked partly: the certificate was accepted, but marked as coming from some untrustworthy organisation. After making a correct conversion (with the complete chain) the java plugin rejected the certificate completely ...
  Ulf

  yep, looks like it.
  keytool can be used with v3 x509 stores:
  Using keytool, it is possible to display, import, and export X.509 v1, v2, and v3 certificates stored as files, and to generate new self-signed v1 certificates. For examples, see the "EXAMPLES" section of the keytool documentation ( for Solaris ) ( for Windows ).
  jarsigner needs a keystore so I would assume public and private key pair.
  you could list the keys from your store:
  C:\temp>keytool -list -keystore serverkeys.key
  Enter keystore password: storepass
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 2 entries
  client, Jul 5, 2005, trustedCertEntry,
  Certificate fingerprint (MD5): 13:50:77:64:94:36:2E:18:00:4B:90:65:D0:26:22:C8
  server, Jul 5, 2005, keyEntry,
  Certificate fingerprint (MD5): 20:90:49:6F:46:BA:AB:11:75:39:9F:6F:29:1F:AB:58
  The server is the private key, this can be used with jarsigner (alias option).
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar client
  jarsigner: Certificate chain not found for: client. client must reference a val
  id KeyStore key entry containing a private key and corresponding public key cert
  ificate chain.
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar server

• Code-signing Certificate Renew issue

  We recently renewed our Verisign code-signing certificate, only to discover that it breaks the auto-update process with the notorious error "This application cannot be installed because this installer has been mis-configured." We were able to make it work by using the ADT -migrate command. That is all well and wonderful. But there are two issues I see. First, there is a 180 day cut-off, beyond which users can no longer be updated. Then, when our certificate gets renewed again next year we might be stuck in a situation where we have to choose which users get to be updated and which are orphaned and are forced to uninstall/re-install.
  Furthermore, how much of this pain we have to live with becomes a function of how long a certificate we are willing to pay for. If we're a small company forking out the money for a 3 year certificate might be kind of painful. Why should this be a factor? Why is it not straight-forward to renew the same certificate and have installations back to the beginning of time be alright with it?
  It could be there is something about the renewal process that is not right. However, when I renewed my Verisign cert their process pretty much forced me to keep everything about the renewed cert the same as the original, otherwise it would not be a 'renewal'.
  If there is an arcane trick we are missing I would be most appreciate to know what it is. This should not be this difficult.
  Thanks
  Kevin

  Hi Kevin,
  I've asked around and learned that the process as you describe is "as designed".  However, there are stratigies for minimizing the downsides.
  For more information, please see the following documents:
  AIR 2.6 Extended Migration Signature Grace Periods
  Update Strategies for Changing Certificates
  Update Your Applications Regularly
  Code Singing in Adobe AIR
  Hope this helps,
  Chris

• Using a Code Signing Certificate for download on Azure

  Currently, I have a hosted web application and Web API on a VM that I use to allow users to download an executable file that is signed with a Code Signing certificate. My question is how would I do the same thing with a Web Role or Cloud Service?  The
  goal is to move to PAAS in Azure with our web application.
  Thanks for any help in advance.

  I appreciate the link to the article, but I don't need an SSL certificate, I need a code signing certificate.  I'm afraid this post does not help me at all.  What I need is a certificate to sign my downloadable applications with.  I have
  an .exe file that users can download, and I need those people to know my code can be trusted, which is why I need the code signing certificate.  My problem is how do I utilize this with a Web Role or Cloud Service?

• Cannot renew code signing certificate - maybe bug with german Umlaut?

  Hello!
  Since one month I expierence a message that I should renew my code signing certificate and today I thought it is time to stop this message.
  Because I could not find anything about renewing the certificate in Mountain Lion I used the KB-article that discribes the process for Lion.
  http://support.apple.com/kb/HT5358
  after that I get this in at my terminal:
  sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate 'myserver.domain.de Signierungszertifikate für Code' 'IntermediateCA_MYSERVER.DOMAIN.DE_1' 7D3E2458
  when I press return I get this:
  /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin Cannot find the certificate: myserver.domain.de Signierungszertifikate für Code
  I checked it again and again - I cannot find any typo or something like that - so maybe Mountain Lion wants to renew the certificate in a different way or certadmin cannot cope with german "Umlaute" - "für" - in english for - but I did not gave this name it was given by the system when I setup the server one year ago.
  Every hint is welcome, bye
  Christoph

  I am stupid - I read the KB article again and there it says
  "When entering the hexadecimal serial number, ensure that all letters are entered in lower case."
  I retyped the command with lower case hex numbers and everything was fine
  Bye,
  Christoph

• Using code signing certificate results in classnotfoundexception

  We are running a certificate authority on windows 2012. Our programming section developed a java application on linux and wanted to code sign it. They created a csr and sent it to me. I created a duplicate of the built in code signing template and used it
  to create a code signing certificate, which I sent back to the programmer. He used the certificate to sign the application jar file, and everything seemed ok. But when we try running the application we get a 'classnotfoundexception' for the main class of the
  program. Just to be sure it was not a fluke I wrote a small test applet and went through the same procedure of creating a csr, creating the certificate, and code signing the jar file, and ended up getting the same exact error.
  The programmer tried creating a self signed certificate on linux and using that to code sign the jar file, and the program runs successfully. Of course there is a warning that the certificate is untrusted, which is why we ant to use the windows created certificate
  to sign the application since the root certificate in on everyone's computer.
  Is there anything special needed to be done to get  the windows created certificate to successfully sign a java application?

  Hi David, did you ever get it to work signing the applet with an Active Directory Certificate Services certificate?
  We are exeperiencing the same issue.  The odd thing is that after we get the ClassNotFoundException error, we click on the error and then click reload and then it loads fine.  At this point we are probably going to try purchasing a certificate
  to see if ADCS was the problem.  Curious to see if you had any luck.  Thanks.

• What kind of code signing certificate do I need for Profile Manager?

  I'm new to Lion Server and the Profile Manager, and I'm wondering what kind of CA-recognized code signing certificate I would need to buy to use in the Profile Manager -> Sign configuration profiles? For example, Verisign sells a bunch of different kind (http://www.verisign.com/code-signing/): Microsoft Authenticode, Java, etc.
  Patrick

  The cable should be just the normal one, the special smarts that tell the tablet to charge at full speed is in the power brick.

• Missing Code Signing Certificate in Profile Manager

  Hi everyone,
  Firstly, I'm not a professional and managing a server isn't in my skill set.  I have an old Mac mini running the Mavericks server to dabble with.
  Recently, the code-signing certificate (I assume self-signed) disappeared from Profile Manager for the option to "Sign configuration profiles" – no idea why, and I'm struggling to get it back, it just doesn't appear in the drop down.
  Under "Certificates" in Server.app, and within Keychain Access; it's still in the system and can be seen, where there are two of them.
  I've tried renewing both of these through Server.app to see if that would be a quick fix, but nothing.
  Could someone advise me on how to create a new verified code signing certificate for use with profile manager?
  Kind regards,
  Jamie

  Tried again.  Destroyed OD and recreated – code signing appears.  Reboot machine, code signing disappears.
  I tried exporting out the Code Signing Cert before rebooting the machine and reimporting after it disappears only to get "This profile cannot be used to sign profiles".
  Any idea what could be breaking the code-signing on reboot? Really bizarre.

• A PKI Code Signing Certificate question.

  Hello,
  Can someone please help me with the following question.
  I have created and used a code Signing certificate from our Microsoft Enterprise CA before which works OK, but I am not sure I did it correctly, and have a few related questions please.
  what I did.
  1: Logged on the CA directly, went to the CertSvc web site, requested a code signing cert, issued it and exported it along with the private key.
  2: Imported the above certificate into CurrentUser/My store on PC and used it to sign code
  3: Took the came certificate (along with the private key, and this is where perhaps I made at least one mistake) and imported it into the 'Trusted Publishers' store the PC that will be running the signed code. This step was done so the user does not receive
  a message asking if they want to run the code signed by "AAnotherUser" as it were, as although the code is signed by a trusted CA, the user still gets this warning message as the 'Publisher' is not in the 'Trusted Publishers' list. Therefore the
  way I sorted this at the time was to take the whole certificate as above and import to this store.
  The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store? in other words should I have imported the certificate 'minus its
  private key' into the trusted publishers store?
  Also, I understand you have to have the certificate along with is private key to sign code. I am 'assuming' a Hash of the code is taken and this is signed (encrypted) with the private key (in the same way a CA signs a CSR for a WEBServer cert for example),
  is that correct i.e. is that what it mean to sign code?
  if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same value.
  Is this correct?
  My next question is regarding the private key. As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
  if the above is possible (which would make good sense to me I think) then I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me. It would also mean which every computer I logon to in the domain I would
  have access to the private key (but no other user) and therefore be able to sign code I assume. Does this last paragraph make sense can this be done/is this done?
  Basically I need to understand the above, in order to understand more about Crypto.
  I also need create a code signing cert for a 'department' of about 10 people. Therefore I was thinking about creating and AD account called 'XYZCorpCodeSigning' or what ever, and issuing a code singing cert to this entity. If the private key could be stored
  in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure, I think.
  I know there are several question above, but it would be great it they would be answered as I would help me understand more about how it all works and to solve a problem too
  Thanks very much
  AAnotherUser__
  AAnotherUser__

  > The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store
  yes, it is not correct. Only public part should be imported to a Trusted Publishers container.
  >  is that correct i.e. is that what it mean to sign code
  exactly. Encryption with private key and decrypting with public key is called "digital signature".
  > if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same
  value. Is this correct?
  yes. Client uses only public part of the certificate to validate the signature.
  > As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
  normally code signing certificates are not stored in Active Directory and should not be there, because signing certificate is included in the signature field.
  > I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me.
  this is wrong assumption. A user is responsible to protect signing private key from unauthorized use.
  > If the private key could be stored in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure
  wouldn't, because if something happens -- you will never know who compromised the key.
  as a general practice, we recommend to purchase at least few smart cards to store signing keys. Depending on a particular code development practice, there might be a dedicated employee (for example, manager of devs) who the only has access to a smart card
  (and PIN) and signs the code upon dev request. Or issue a dedicated smart card with unique signing certificate to each developer. However this will add a complexity in signing certificate trust management.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Code Signing Certificate Options

  Hi Guys,
  Have just finished and Air application and need to sign it before distribution.  Anyone got any good advice on the pros and cons of the various Code Signing options for Adobe Air out there?
  Richard

  I have just created a self-signed code-signing certificate, I used XCA to generate it which is a front-end for openssl. Obviously being generated from a self-signed rootCA it is not going to be trusted by the outside world but it is good enough for an internal Profile Manager setup since the enrollment process will automatically trust your own self-signed rootCA.
  Anyway, when trying to install it I did come across a gotcha which might help you and others here. I found that if I imported the certificate in to Keychain Access e.g. by double-clicking on it, then Server.app did not list it as an available certificate for Profile Manager code-signing. However if instead I used the option in Server.app under Profile Manager to import the code-signing certificate it was accepted.
  In theory importing via Keychain Access should work as well but it did not, so if you have been doing it that way try importing via Server.app instead.
  If you have already imported it via Keychain Access just delete it from your Keychain and try again.
  With regards to the suggestion from ajm_from_WA for buying one from www.ssls.com I could not find any code-signing certificates listed on their website. These are different to ordinary website certificates.