Profile Manager Code Signing Certificate from GoDaddy .spc

Similar Messages

• Managing Windows Phone's and Symantec Code Signing certificate

  Hi,
  We need to renew the code signing certificate from Symantec. However, we only use it to manage the Windows Phone devices and don't publish apps. Do we still need to spend $300 on renewing this cert? Can't I manage them for free like our iOS and Android devices?

  You REQUIRE the Symantec Code Signing Certificate to manage Windows Phones via Windows Intune. This is a requirement of the device rather than the management solution.
  You CAN manage Windows Phones without this cert using only Exchange active sync management in Intune. However this management is very basic and has no advanced features (basically the features provided by Exchange rather than Intune).
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• Code Signing Certificate Options

  Hi Guys,
  Have just finished and Air application and need to sign it before distribution.  Anyone got any good advice on the pros and cons of the various Code Signing options for Adobe Air out there?
  Richard

  I have just created a self-signed code-signing certificate, I used XCA to generate it which is a front-end for openssl. Obviously being generated from a self-signed rootCA it is not going to be trusted by the outside world but it is good enough for an internal Profile Manager setup since the enrollment process will automatically trust your own self-signed rootCA.
  Anyway, when trying to install it I did come across a gotcha which might help you and others here. I found that if I imported the certificate in to Keychain Access e.g. by double-clicking on it, then Server.app did not list it as an available certificate for Profile Manager code-signing. However if instead I used the option in Server.app under Profile Manager to import the code-signing certificate it was accepted.
  In theory importing via Keychain Access should work as well but it did not, so if you have been doing it that way try importing via Server.app instead.
  If you have already imported it via Keychain Access just delete it from your Keychain and try again.
  With regards to the suggestion from ajm_from_WA for buying one from www.ssls.com I could not find any code-signing certificates listed on their website. These are different to ordinary website certificates.

• Code-signing Certificate Provider for Mavericks Server?

  Our Digicert Code Signing Certificate [which worked fine in Mountain Lion Server but doesn't work in Mavericks Server no matter what I try] is about to expire, and I'm wondering if anyone could recommend a vendor whose code-signing certificates definitely work with Mavericks Server?

  I have just created a self-signed code-signing certificate, I used XCA to generate it which is a front-end for openssl. Obviously being generated from a self-signed rootCA it is not going to be trusted by the outside world but it is good enough for an internal Profile Manager setup since the enrollment process will automatically trust your own self-signed rootCA.
  Anyway, when trying to install it I did come across a gotcha which might help you and others here. I found that if I imported the certificate in to Keychain Access e.g. by double-clicking on it, then Server.app did not list it as an available certificate for Profile Manager code-signing. However if instead I used the option in Server.app under Profile Manager to import the code-signing certificate it was accepted.
  In theory importing via Keychain Access should work as well but it did not, so if you have been doing it that way try importing via Server.app instead.
  If you have already imported it via Keychain Access just delete it from your Keychain and try again.
  With regards to the suggestion from ajm_from_WA for buying one from www.ssls.com I could not find any code-signing certificates listed on their website. These are different to ordinary website certificates.

• A PKI Code Signing Certificate question.

  Hello,
  Can someone please help me with the following question.
  I have created and used a code Signing certificate from our Microsoft Enterprise CA before which works OK, but I am not sure I did it correctly, and have a few related questions please.
  what I did.
  1: Logged on the CA directly, went to the CertSvc web site, requested a code signing cert, issued it and exported it along with the private key.
  2: Imported the above certificate into CurrentUser/My store on PC and used it to sign code
  3: Took the came certificate (along with the private key, and this is where perhaps I made at least one mistake) and imported it into the 'Trusted Publishers' store the PC that will be running the signed code. This step was done so the user does not receive
  a message asking if they want to run the code signed by "AAnotherUser" as it were, as although the code is signed by a trusted CA, the user still gets this warning message as the 'Publisher' is not in the 'Trusted Publishers' list. Therefore the
  way I sorted this at the time was to take the whole certificate as above and import to this store.
  The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store? in other words should I have imported the certificate 'minus its
  private key' into the trusted publishers store?
  Also, I understand you have to have the certificate along with is private key to sign code. I am 'assuming' a Hash of the code is taken and this is signed (encrypted) with the private key (in the same way a CA signs a CSR for a WEBServer cert for example),
  is that correct i.e. is that what it mean to sign code?
  if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same value.
  Is this correct?
  My next question is regarding the private key. As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
  if the above is possible (which would make good sense to me I think) then I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me. It would also mean which every computer I logon to in the domain I would
  have access to the private key (but no other user) and therefore be able to sign code I assume. Does this last paragraph make sense can this be done/is this done?
  Basically I need to understand the above, in order to understand more about Crypto.
  I also need create a code signing cert for a 'department' of about 10 people. Therefore I was thinking about creating and AD account called 'XYZCorpCodeSigning' or what ever, and issuing a code singing cert to this entity. If the private key could be stored
  in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure, I think.
  I know there are several question above, but it would be great it they would be answered as I would help me understand more about how it all works and to solve a problem too
  Thanks very much
  AAnotherUser__
  AAnotherUser__

  > The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store
  yes, it is not correct. Only public part should be imported to a Trusted Publishers container.
  >  is that correct i.e. is that what it mean to sign code
  exactly. Encryption with private key and decrypting with public key is called "digital signature".
  > if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same
  value. Is this correct?
  yes. Client uses only public part of the certificate to validate the signature.
  > As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
  normally code signing certificates are not stored in Active Directory and should not be there, because signing certificate is included in the signature field.
  > I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me.
  this is wrong assumption. A user is responsible to protect signing private key from unauthorized use.
  > If the private key could be stored in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure
  wouldn't, because if something happens -- you will never know who compromised the key.
  as a general practice, we recommend to purchase at least few smart cards to store signing keys. Depending on a particular code development practice, there might be a dedicated employee (for example, manager of devs) who the only has access to a smart card
  (and PIN) and signs the code upon dev request. Or issue a dedicated smart card with unique signing certificate to each developer. However this will add a complexity in signing certificate trust management.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Windows Code Signing Certificate

  How to convert Windows Code Signing Certificate from p7s format to AET format

  Where did you get this 'p7s' file?  Did someone try to send you an AET in an SMIME encoded message? 
  File extension: p7s, is usually associated with a file containing PKCS #7 signed data and 'AET' usually refers to an 'Application Enrollment Token', which is associated with Windows Phone Enterprise application management.
  To create an AET for Windows Phone you need to have a proper code signing certificate from Symantec. (...you can't use just any code signing certificate.)
  When you obtain a code signing certificate from Symantec it should be installed into your computers certificate store.  You can then export the certificate and private key to a *.pfx file to use for signing apps or if you need to move it to a different
  computer.
  see:
  Windows Phone 8: Steps to acquire an Enterprise Mobile Code Signing Certificate required to sign LOB or company apps
  and:
  Frequently asked questions about Windows Phone Company Hub apps
  Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast
  your votes for existing suggestions.

• Thawte code signing certificate problem

  Hi everyone!
  I wonder if someone here could help me out a little bit?
  I just received a code signing certificate from Thawte, but nobody mentioned that I should have enrolled it with Firefox (I have mac). So I used my default browser Safari. And now I can´t find any instructions how to change that certificate to a file that I can use in my Flex 3 when I export an AIR installer. All the instructions tell me to use Firefox, but it´s too late. I have to use same browser I have used earlier.
  I send this answer to Thawte too, but I´m not sure when they answer...

  Well, yes, apparently Keychain Access doesn't let you export the entire certificate chain.
  See http://forums.adobe.com/thread/234000 for a post on essentially the same issue.
  I haven't tried it, but maybe you can import the certificate into Firefox and then re-exported it with the entire certificate chain. Or do the same with the Java keytool utility. You could also set the ADT command line parameters to access the Mac Keychain directly, but then you couldn't use the built-in Flash/Flex Builder export. Those are the only options I can think of if you can't get help from Thawte.

• Missing Code Signing Certificate in Profile Manager

  Hi everyone,
  Firstly, I'm not a professional and managing a server isn't in my skill set.  I have an old Mac mini running the Mavericks server to dabble with.
  Recently, the code-signing certificate (I assume self-signed) disappeared from Profile Manager for the option to "Sign configuration profiles" – no idea why, and I'm struggling to get it back, it just doesn't appear in the drop down.
  Under "Certificates" in Server.app, and within Keychain Access; it's still in the system and can be seen, where there are two of them.
  I've tried renewing both of these through Server.app to see if that would be a quick fix, but nothing.
  Could someone advise me on how to create a new verified code signing certificate for use with profile manager?
  Kind regards,
  Jamie

  Tried again.  Destroyed OD and recreated – code signing appears.  Reboot machine, code signing disappears.
  I tried exporting out the Code Signing Cert before rebooting the machine and reimporting after it disappears only to get "This profile cannot be used to sign profiles".
  Any idea what could be breaking the code-signing on reboot? Really bizarre.

• Code Signing Certificate Renewal for Profile Manager

  Currently we have around 800 ipods/iphones around the globe that were all enrolled into our Profile Manager in the past year.  In one month our Code Signing Certificate will expire on ALL of those devices.  I have updated the certificate on our Profile Manager server and installed that into the Profile Manager.
  How do I update all of the devices in the field with the new certificate?  It is not possible for every one of those devices to be re-enrolled.  These are systems that we give to our customers to use for a specific purpose and they have no clue how to do anything with the MDM or the profile manager.  Apple - this wasn't well thought out...

  After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.
  Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already. 
  Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap.  (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)
  If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.
  {FWIW, this is a user forum and the folks from Apple may or may not see your report.  If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

• What kind of code signing certificate do I need for Profile Manager?

  I'm new to Lion Server and the Profile Manager, and I'm wondering what kind of CA-recognized code signing certificate I would need to buy to use in the Profile Manager -> Sign configuration profiles? For example, Verisign sells a bunch of different kind (http://www.verisign.com/code-signing/): Microsoft Authenticode, Java, etc.
  Patrick

  The cable should be just the normal one, the special smarts that tell the tablet to charge at full speed is in the power brick.

• Profile Manager - no code signing certificate?

  I'm starting with a clean install of Lion Server. DNS is on an Xserve running Leopard Server.
  - CA signed certificates in place
  - DNS working fine
  - I create an OD Master (I've done this through Server.app, Server Admin and from hitting the "configure" button in Profile Manger, which triggers building an OD Master), and when the OD Master is built, an OD-based CA is created along with an OD-based intermediate certificate, but (and this is my problem), the OD-based code signing certificate is never produced, thus I don't have a code signing certificate to select when trying to enable "sign configuration profiles"?
  This is driving me insane. Anyone know why the code signing certificate isn't being generated?
  Thanks,
  Kristin.

  I'm starting with a clean install of Lion Server. DNS is on an Xserve running Leopard Server.
  - CA signed certificates in place
  - DNS working fine
  - I create an OD Master (I've done this through Server.app, Server Admin and from hitting the "configure" button in Profile Manger, which triggers building an OD Master), and when the OD Master is built, an OD-based CA is created along with an OD-based intermediate certificate, but (and this is my problem), the OD-based code signing certificate is never produced, thus I don't have a code signing certificate to select when trying to enable "sign configuration profiles"?
  This is driving me insane. Anyone know why the code signing certificate isn't being generated?
  Thanks,
  Kristin.

• Configuration Profile Code-Signing Certificates

  Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.
  I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.
  How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

  You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.
  ** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.
  ** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

• "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.]" for brand new, vanilla Mac App

  In OS X Maverick's XCode, I created a brand new Mac > "Cocoa Application", with Core Data and Spotlight Importerl; about as vanilla a Cocoa application I could muster. 
  Under Preferences > Accounts, I signed in to my Mac Developer Account.
  In Targets > Identity, I set Signing to "Mac App Store", and was able to select my Mac Developer Account for "Team".
  I then went to Product > Clean, and then Product > Build for... > Running, and then Produt > Archive.
  In the Organizer, I select the resulting .app and click "Validate", and hit the Mac App Store radio, and hit "Next", and it's able to log into my Mac Developer Account.
  I select my Provisioning Profile in the dropdown, and click "Validate".
  It comes back with several errors:
  1 - "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.] For more information, visit the Mac OS Developer Portal."
  2 - "The bundle identifier cannot be changed from the current value, '{DIFFERENT-BUNDLE-FROM-OTHER-PROJECT}'.  If you want to change your bundle identifier, you will need to create a new application in iTunes Connect.
  3 - Invalid Code Signing Entitlements.  The entitlements in your app bundle signature do not match the ones that are contained in the provision profile.  The bundle contains a key that is not included in the provisioning profile: 'com.apple.applications-identifier' in '{BUNDLENAME}.app/Contents/MacOS/{BUNDLENAME}'
  I was able to do the same process before, for a vanilla app, before Mavericks.  I'm not sure if this is a Mavericks error, or a fact that now I have multiple app projects.  Particularly odd is that DIFFERENT-BUNDLE-FROM-OTHER-PROJECT in error (2) is not the same bundle name as the current project's bundle.
  Would love any help you can provide!  Thank you!

  Seen this thread?
  New codesign behavior, --deep option 
  "Code signing has some interesting changes in Mavericks (that apparently haven't made it into the release notes yet...). Note that this is a change to the operating system, not to the devtools."

• Lion Server: Why is our Code Sign Certificate not accepted ?

  Hello,
  our Lion Server (10.7.5) is running fine, but since we restored it from a back-up Profile Manager no longer accepts the Code Signing certificate despite the fact that it is shown as valid in Server App's Manage Certificates.
  I tried everything from deleting the device manager postgrep db, and restoring it as described in
  https://discussions.apple.com/thread/3791994?start=0&tstart=0
  Backup and delete db:
  sudo pg_dump -U _postgres -c device_management > $HOME/device_management.sql
  /usr/share/devicemgr/backend/wipeDB.sh
  Restore the db :
  sudo serveradmin stop devicemgr
  sudo serveradmin start postgres
  sudo psql -U _postgres -d device_management -f $HOME/device_management.sql
  sudo serveradmin start devicemgr
  I tried to recreate the Code Sign certificate as described in:
  http://support.apple.com/kb/HT5358
  The certificate is successfully created but it is just NOT accepted. (It does not show in the "Sign Configuration Profiles" dialog)
  I would be very, very grateful for a hint.
  (When running the server from the external clone, from which we copied the server back, the problem is not present)
  Regards,
  Twistan

  This also applies to the 470 IDES install!
  Any ideas?
  Tx JB

• What code signing certificate has to be added for Adobe Air Native Installer?

  Hi,
  I'm developing Adobe Air application. I need to digitally verify the application to add the publisher's name with the product. I did a little research and came to know that Symantec, Thawte, Comodo, Comodo-Tucows, Digicert, Godaddy and couple of others are doing this.
  Yes. I'm talking about the Code Signing Certificate. My question is, What code signing certificate has to be added for Adobe Air Native Installer? The reason is, The native installer will have an extension .exe ( Windows ) and .dmg ( MAC OS X ).
  These guys are providing certificate for Adobe Air. For instance, If the application is exported using Native Installer in Windows, The application will have an .exe extension. For this, Can I use the same Adobe Air code signing certificate or Should I go for Microsoft Autheticode ( for .exe ) certificate?
  Thanks in advance.

  I think comodo code signing certificate is one of the nice option to be added for Adobe Air, as i have seen comodo code signing certificate in other adobe programs. Recently i bought comodo code signing from https://cheapsslsecurity.com/comodo/codesigningcertificate.html, to sign one of my adobe application and it works fine, you can use microsoft authenticode technology with comodo code signing.