Profile Manager - no code signing certificate?

Similar Messages

• On Mountain lion Server, renewing profile manager's code signing certificate

  Hello,
  I follow the article : HT5358 and i have always this error : certadmin Cannot find the certificate: Certificat de signature de code myserver.domain.fr.
  Is somebody can help me ?!
  Thanks !!!

  Hello!
  I just solved my problem - I read the KB article again and there it says
  "When entering the hexadecimal serial number, ensure that all letters are entered in lower case."
  Maybe it is the same with your problem.
  Bye,
  Christoph

• Argh! Profile Manager and Code-Signing of profiles

  I am setting up Profile Manager in Mavericks with Server.app 3.0.1.
  I have DNS correctly setup, I have created an OD Master for Profile Manager, Profile Manager is running and network users can login and I can setup profiles. I also have the https site working properly for clients although that needed some help.
  We have a self-signed root CA and off that we have two intermediate CAs, one for signing server SSL certificates, and one for signing codesigning certificates. On my server I have installed the rootCA, and the intermediate CAs and of course the server SSL certificate itself. As mentioned initially I had a problem with the https site on the server and what was happening was that the server was not sending the intermediate certificate along with the server certificate to clients. (The clients already have our rootCA certificate installed and trusted.)
  As a result the chain was incomplete and clients did not trust the http site. I tracked this down to the files in /etc/certificates it turned out that of the four files for the server certificate i.e. .key.pem, .chain.pem, .concat.pem and .cert.pem that the .chain.pem did not contain the intermediate CA. I replaced it with the intermediate CA pem file and restarted Apache and clients now get the full chain and can therefore trust the https site.
  My problem now is with the codesigning certificate, this also has been selfsigned this time by the intermediate codesigningCA. It is accepted by Profile Manager and it does sign the profiles. However when I download the Trust profile and try installing it, it comes back unverified. (If it was unsigned it would say unsigned instead.) This trust profile contains a copy of the server certificate and the rootCA certificate but does not contain the intermediate codesigningCA certificate.
  I tried the same trick of swapping out the codesigning .chain.pem file in /etc/certificates but this did not help. I am currently stuck, any suggestions from any one?
  Thanks.

  I would really appreciate being walked through these steps. I just upgraded to Yosemite and Server.app 4 and am dealing with all the brokenness.
  Profile Manager does not show a code signing certificate when I ask it to sign configuration profiles.
  I DO NOT have the Code Signing Certificate in my keychain created when OD was created.
  I DO have the four code signing certificate files:
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.cert.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.chain.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.concat.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem
  Furthermore, when I search my System keychain passwords, for <UUID hash>, I see that have the password that decrypts these pem's, e.g. via the openssl command
  openssl rsa -outform der -in 'host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem' -out 'host.domain.tld.Code Signing Certificate.<UUID hash>.key'
  What's the specific step-by-step to convert these four files into something that Profile Manager can use to sign configuration profiles?
  I am stuck.

• About Profile manager renew code signing cert

  I am using the profile manager service in Mac OS X 10.7 Server.
  My code signing cert just got expired, and the serial no. is 1. So i followed the apple guide to renew the cert in terminal
  ipad:~ test$ sudo /usr/sbin/certadmin --recreate-CA-signed-certificate "ipad.example.com" "IntermediateCA_IPAD.EXAMPLE.COM_1" 1
  /usr/sbin/certadmin Cannot find the certificate: ipad.example.com
  I can renew the another one successfully but only this cannot renew, I don't know why (maybe related to the serial? too short?)
  Anyone know how to solve it?
  Thank you very much
  BTW, Any method can generate the cert for 10 years or renew the cert without re-enroll the device? because I don't want renew the cert every year and ask user enroll again.

  I am using the profile manager service in Mac OS X 10.7 Server.
  My code signing cert just got expired, and the serial no. is 1. So i followed the apple guide to renew the cert in terminal
  ipad:~ test$ sudo /usr/sbin/certadmin --recreate-CA-signed-certificate "ipad.example.com" "IntermediateCA_IPAD.EXAMPLE.COM_1" 1
  /usr/sbin/certadmin Cannot find the certificate: ipad.example.com
  I can renew the another one successfully but only this cannot renew, I don't know why (maybe related to the serial? too short?)
  Anyone know how to solve it?
  Thank you very much
  BTW, Any method can generate the cert for 10 years or renew the cert without re-enroll the device? because I don't want renew the cert every year and ask user enroll again.

• Renew my code sign certificate?

  I run a Mavericks server that serves profile manager, file, and time machine services. My code sign cert expires in a couple weeks. When you go into Server.app > Certificates and double click on it, there isn't a "Renew" button like there is for other certs I've renewed.
  How would I renew this? And what impact would it have on my running services (ie. would I have to re-enroll everyone in profile manager)? Thank you.

  Does OS X Server: Renewing Profile Manager's code signing certificate - Apple Support help?

• What kind of code signing certificate do I need for Profile Manager?

  I'm new to Lion Server and the Profile Manager, and I'm wondering what kind of CA-recognized code signing certificate I would need to buy to use in the Profile Manager -> Sign configuration profiles? For example, Verisign sells a bunch of different kind (http://www.verisign.com/code-signing/): Microsoft Authenticode, Java, etc.
  Patrick

  The cable should be just the normal one, the special smarts that tell the tablet to charge at full speed is in the power brick.

• Missing Code Signing Certificate in Profile Manager

  Hi everyone,
  Firstly, I'm not a professional and managing a server isn't in my skill set.  I have an old Mac mini running the Mavericks server to dabble with.
  Recently, the code-signing certificate (I assume self-signed) disappeared from Profile Manager for the option to "Sign configuration profiles" – no idea why, and I'm struggling to get it back, it just doesn't appear in the drop down.
  Under "Certificates" in Server.app, and within Keychain Access; it's still in the system and can be seen, where there are two of them.
  I've tried renewing both of these through Server.app to see if that would be a quick fix, but nothing.
  Could someone advise me on how to create a new verified code signing certificate for use with profile manager?
  Kind regards,
  Jamie

  Tried again.  Destroyed OD and recreated – code signing appears.  Reboot machine, code signing disappears.
  I tried exporting out the Code Signing Cert before rebooting the machine and reimporting after it disappears only to get "This profile cannot be used to sign profiles".
  Any idea what could be breaking the code-signing on reboot? Really bizarre.

• Code Signing Certificate Renewal for Profile Manager

  Currently we have around 800 ipods/iphones around the globe that were all enrolled into our Profile Manager in the past year.  In one month our Code Signing Certificate will expire on ALL of those devices.  I have updated the certificate on our Profile Manager server and installed that into the Profile Manager.
  How do I update all of the devices in the field with the new certificate?  It is not possible for every one of those devices to be re-enrolled.  These are systems that we give to our customers to use for a specific purpose and they have no clue how to do anything with the MDM or the profile manager.  Apple - this wasn't well thought out...

  After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.
  Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already. 
  Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap.  (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)
  If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.
  {FWIW, this is a user forum and the folks from Apple may or may not see your report.  If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

• Profile Manager Code Signing Certificate from GoDaddy .spc

  Convert the .spc to .cer for Profile Manager compatability.
  Thought I'd share how to convert a code signing certificate acquired from go daddy as it downloads as a .spc file that Profile manager will not accept.
  When you download your code signing certificate from go daddy it will be a .spc file as stated above, and profile manager needs a .cer file.
  Take your .zip file over to a Windows 7 or better PC and double-click the .zip file.
  Then double-click the enclosed certificate.
  This will open the windows certmgr.
  Expand the certificate and locate your certificate (Should be the one with your company name )
  Right-Click the desired certificate, select all tasks, then Export
  Export the certificate as a DER .cer file.
  Now copy the exported .cer certificate to your Server App/Certificates and import it into the Pending Certificate.
  Once that's done also add the .cer certificate to your keychain.
  Remember to replace the expiring certificate if applicable
  LJS

  After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.
  Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already. 
  Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap.  (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)
  If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.
  {FWIW, this is a user forum and the folks from Apple may or may not see your report.  If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

• Configuration Profile Code-Signing Certificates

  Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.
  I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.
  How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

  You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.
  ** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.
  ** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

• "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.]" for brand new, vanilla Mac App

  In OS X Maverick's XCode, I created a brand new Mac > "Cocoa Application", with Core Data and Spotlight Importerl; about as vanilla a Cocoa application I could muster. 
  Under Preferences > Accounts, I signed in to my Mac Developer Account.
  In Targets > Identity, I set Signing to "Mac App Store", and was able to select my Mac Developer Account for "Team".
  I then went to Product > Clean, and then Product > Build for... > Running, and then Produt > Archive.
  In the Organizer, I select the resulting .app and click "Validate", and hit the Mac App Store radio, and hit "Next", and it's able to log into my Mac Developer Account.
  I select my Provisioning Profile in the dropdown, and click "Validate".
  It comes back with several errors:
  1 - "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.] For more information, visit the Mac OS Developer Portal."
  2 - "The bundle identifier cannot be changed from the current value, '{DIFFERENT-BUNDLE-FROM-OTHER-PROJECT}'.  If you want to change your bundle identifier, you will need to create a new application in iTunes Connect.
  3 - Invalid Code Signing Entitlements.  The entitlements in your app bundle signature do not match the ones that are contained in the provision profile.  The bundle contains a key that is not included in the provisioning profile: 'com.apple.applications-identifier' in '{BUNDLENAME}.app/Contents/MacOS/{BUNDLENAME}'
  I was able to do the same process before, for a vanilla app, before Mavericks.  I'm not sure if this is a Mavericks error, or a fact that now I have multiple app projects.  Particularly odd is that DIFFERENT-BUNDLE-FROM-OTHER-PROJECT in error (2) is not the same bundle name as the current project's bundle.
  Would love any help you can provide!  Thank you!

  Seen this thread?
  New codesign behavior, --deep option 
  "Code signing has some interesting changes in Mavericks (that apparently haven't made it into the release notes yet...). Note that this is a change to the operating system, not to the devtools."

• Managing Windows Phone's and Symantec Code Signing certificate

  Hi,
  We need to renew the code signing certificate from Symantec. However, we only use it to manage the Windows Phone devices and don't publish apps. Do we still need to spend $300 on renewing this cert? Can't I manage them for free like our iOS and Android devices?

  You REQUIRE the Symantec Code Signing Certificate to manage Windows Phones via Windows Intune. This is a requirement of the device rather than the management solution.
  You CAN manage Windows Phones without this cert using only Exchange active sync management in Intune. However this management is very basic and has no advanced features (basically the features provided by Exchange rather than Intune).
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• Code Signing Certificate Options

  Hi Guys,
  Have just finished and Air application and need to sign it before distribution.  Anyone got any good advice on the pros and cons of the various Code Signing options for Adobe Air out there?
  Richard

  I have just created a self-signed code-signing certificate, I used XCA to generate it which is a front-end for openssl. Obviously being generated from a self-signed rootCA it is not going to be trusted by the outside world but it is good enough for an internal Profile Manager setup since the enrollment process will automatically trust your own self-signed rootCA.
  Anyway, when trying to install it I did come across a gotcha which might help you and others here. I found that if I imported the certificate in to Keychain Access e.g. by double-clicking on it, then Server.app did not list it as an available certificate for Profile Manager code-signing. However if instead I used the option in Server.app under Profile Manager to import the code-signing certificate it was accepted.
  In theory importing via Keychain Access should work as well but it did not, so if you have been doing it that way try importing via Server.app instead.
  If you have already imported it via Keychain Access just delete it from your Keychain and try again.
  With regards to the suggestion from ajm_from_WA for buying one from www.ssls.com I could not find any code-signing certificates listed on their website. These are different to ordinary website certificates.

• Code-signing Certificate Provider for Mavericks Server?

  Our Digicert Code Signing Certificate [which worked fine in Mountain Lion Server but doesn't work in Mavericks Server no matter what I try] is about to expire, and I'm wondering if anyone could recommend a vendor whose code-signing certificates definitely work with Mavericks Server?

  I have just created a self-signed code-signing certificate, I used XCA to generate it which is a front-end for openssl. Obviously being generated from a self-signed rootCA it is not going to be trusted by the outside world but it is good enough for an internal Profile Manager setup since the enrollment process will automatically trust your own self-signed rootCA.
  Anyway, when trying to install it I did come across a gotcha which might help you and others here. I found that if I imported the certificate in to Keychain Access e.g. by double-clicking on it, then Server.app did not list it as an available certificate for Profile Manager code-signing. However if instead I used the option in Server.app under Profile Manager to import the code-signing certificate it was accepted.
  In theory importing via Keychain Access should work as well but it did not, so if you have been doing it that way try importing via Server.app instead.
  If you have already imported it via Keychain Access just delete it from your Keychain and try again.
  With regards to the suggestion from ajm_from_WA for buying one from www.ssls.com I could not find any code-signing certificates listed on their website. These are different to ordinary website certificates.

• Lion Server: Why is our Code Sign Certificate not accepted ?

  Hello,
  our Lion Server (10.7.5) is running fine, but since we restored it from a back-up Profile Manager no longer accepts the Code Signing certificate despite the fact that it is shown as valid in Server App's Manage Certificates.
  I tried everything from deleting the device manager postgrep db, and restoring it as described in
  https://discussions.apple.com/thread/3791994?start=0&tstart=0
  Backup and delete db:
  sudo pg_dump -U _postgres -c device_management > $HOME/device_management.sql
  /usr/share/devicemgr/backend/wipeDB.sh
  Restore the db :
  sudo serveradmin stop devicemgr
  sudo serveradmin start postgres
  sudo psql -U _postgres -d device_management -f $HOME/device_management.sql
  sudo serveradmin start devicemgr
  I tried to recreate the Code Sign certificate as described in:
  http://support.apple.com/kb/HT5358
  The certificate is successfully created but it is just NOT accepted. (It does not show in the "Sign Configuration Profiles" dialog)
  I would be very, very grateful for a hint.
  (When running the server from the external clone, from which we copied the server back, the problem is not present)
  Regards,
  Twistan

  This also applies to the 470 IDES install!
  Any ideas?
  Tx JB