Renewing Push Certificates?

Similar Messages

• Renewing Push Certificate with renamed Apple ID

  Hello everyone,
  I have a specific problem here:
  - I set up an OS X Lion Server at work to manage a bunch of iOS devices with Profile Manager
  - I created an Apple-ID for my work-email to request a Push Certificate for that server
  - I then RENAMED the Apple-ID to a functional email-address (however, my original one is still setup as alternative email address)
  - I can still see my Push Certificate when login in to the Push Certificate Portal
  - Now, I need to renew that certificate in 30 days.
  Question 1: Can I renew that certificate using the Server.app (which still knows my old email-address) or do I need to rename my Apple-ID AGAIN to the old state before doing so?
  Question 2: Will I need to re-enroll my iOS devices with either option stated above?
  Question 3: I plan to upgrade to Mountain Lion Server - in the process, I will be asked for an Apple-ID for the Push Certificate ... will it be clever enough to recognize my renamed Apple-ID, or do I need to rename it before that as well?
  Question 4: Is it possible to let Apple Support handle this mess, has anyone tried that successfully so far?
  Thanks for reading :-)
  Best regards,
  Olaf

  I'd like to share my experience how the process went.
  As initially stated, I needed to renew my Push Certificate within 30 days, but had renamed my Apple ID (from [email protected] to [email protected]).
  Renewing meant, re-enrolling all devices. Somebody suggested, I should upgrade to Mountain Lion Server first, THEN renew, it would be easier then (you know, click one button and BOOM, magic..).
  So, the idea then was
  - Perform in-place-upgrade
  - re-enroll certificate after upgrade
  short answer... that didn't work out.
  Before upgrading, I trained on a cloned system.
  In the process of the upgrade, you HAVE to enter an Apple-ID (i.e. email address) to connect to the APNS ... that means it either is exactly the one you created the Push Certificate with in the first place, or you re-enroll or your devices - Apple gives a nice warning message during the process.
  OK, gnashing teeth, I renamed the Apple-ID back to the original state and tried the in-place upgrade again, this time on the production server ... what should go wrong,  it worked out before on the clone (sans the certificate part) ... hhhm ... not this time. It seemed to be some problem with the Raid card. But hey, that's what Carbon Copy Cloner, psqldump and Timemachine are for, right?
  Wrong.
  After the restore, my production machine came up fine, everything worked - except pushing anything to my devices.
  So, technically I restored OS X Lion Server to a running state AND had 3 different means of backup, just in case (CCC, Timemachine, scripted DB dumps and OD dumps)  and still in the end, I had a bunch of devices that needed to be re-enrolled. Brilliant.
  More gnashing teeth. Now, knowing I need to re-enroll anyway, I installed ML Server from scratch, created a new Push certificate (using [email protected].), re-entered ALL mobile devices, policies and groups by hand (oops, Apple dropped psqldump support in ML Server, there is no database import from prior versions..FRAK) and re-enrolled all devices, happy users assured.
  And now the fun part: If you sign your mobile profiles (you know, that checkbox in Server App) for extra security, you need to take care of your Code Signing Certificates validity. You can renew this easily (one click, BOOM, magic).
  The Code Signing Certificate is valid for 1 year.  If you renew this certificate, re-enrollment is mandatory.
  DOUBLE-FRAK.
  So in the end, it didn't matter at all that I renamed my Apple-ID back and forth, it didn't matter that the in-place upgrade didn't work out and I had to do a clean install, there was actually no option of pulling this stunt without re-enrolling all devices, at least when the Code signing certificate were to expire.
  Please Apple, FIX this. It can not be, that I have to re-enroll all my devices EVERY YEAR. Why are your certificates only valid one year? Why can't you design a convenient mechanism to renew all certificates and push them to the devices automatically?

• Renewed push certificate, do I have to re-enroll devices

  I went into Mac OS X Server: Settings: Enable Apple Push Notifications clicked EDIT and updated my push certificate.  Very easy.  Took all of 30 seconds or so. 
  Do I need to manually visit every iPad and update the device enrollment (re-enroll device) to match before PUSH takes off again?  I did this last year, because nothing else would work and it seems like that really really shouldn't be required.  We now have about 100 iPads that are basically in use all of the time, so if this isn't necessary I really need to not do it...

  Hi!
  As you say, the expected behavior is that it "just works" but it may take some time. If you create a bookmark in one computer this will upload to the server after some short time and it will be downloaded by the rest of the machines.
  Can you double-check in the Sync tab in all this devices that you are using the same Sync account? It's on the "Preferences" window, under Sync. You will see your email address. Make sure it's the same in all of them.
  If they are the same, give a try to the "Sync now" option under the Firefox Button (or Tools if you are using MacOS) and see if that pushes the changes.
  If you can follow up in these 2 tasks we can keep digging in your issue.
  Best,
  Ibai

• How do I Renew a Push Certificate? - when I follow instructions.

  When I go to Server and in Settings/Edit/Renew (to renew a push notification)
  I get the following:
  "The current certificate cannot be renewed. You must acquire a new certificate and reconfigure your devices."
  No further instructions on how to acquire the "new" certificate.
  Someone please lead me in the right direction?
  Thank you.

  I seem to be in a bit of a circular reference on this. The notifications part of the Server app tells me I cannot renew the certificate. When I go to "Manage my Certificates" and log into the portal, it  tells me I must use the server app to obtain a new certificate. I'm still using Mountain Lion on my server and while I can live with this, my log is being bombarded with expired certificate notices that there doesn't seem a straightforward mechanism to fix.

• Getting error while trying to create the push certificate...

  I am getting the following error while trying to create a push certificate for the mdm from the apple site.
  Certificate Signature Verification failed because the signature  is invalid.
  I am mdm vendor as well as the customer. I did the following steps.
  openssl x509 -inform der -in mdm_identity.cer -out mdm.pem
  openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem
  openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem
  openssl req -inform pem -outform der -in customer.csr -out customer.der
  created the plist_encoded file using a java program which uses the "SHA1WthRSA"
  When i tried to upload the plist_encoded file to the apple site (https://identity.apple.com/pushcert/), it creates a file with the following error
  {"ErrorCode":-80018,"ErrorMessage":"Certificate Signature Verification failed","ErrorDescription":"Certificate Signature Verification failed because the <a href=\"http://www.apple.com/business/mdm\" target=\"_blank\">signature<\/a> is invalid."}
  Any help would be greatly appreciated....

  Please see the solution in (The Descriptive Flexfield With Application Name Receivables (AR) and Name Party Site Information (HZ_PARTY_SITES) Is Not Frozen [ID 743262.1]).
  Thanks,
  Hussein

• Error while renewing the certificate in SSLM

  Hi,
  While renewing the certificate on SSLM I am getting the following error
  % failed to parse or verify imported certificate.
  I am able to upload root certificate successfully.
  I am sure that I renewed the certificate using the correct parameters.
  Please advise
  Regards
  Jithesh

  Hi Jithesh,
  This error can occur when you install the identity certificate and do not have the correct intermediate or root CA certificate authenticated with the associated trustpoint. You must remove and reauthenticate with the correct intermediate or root CA certificate. Contact your 3rd party vendor in order to verify that you received the correct CA certificate.
  Cheers!!
  Sachin

• [solved] dovecot errors after renewing SSL certificate

  System:
  OS X Server (Mountain Lion) 2.2
  Using a single SSL Certificate for all services.
  Symptom:
  Users can't log into their IMAP accounts hosted on OS X Server (Mountain Lion) after renewing SSL Certificate
  Diagnostics:
  Give you an indication whether it's this problem. Some or all may apply:
  Log shows all kinds of dovecot errors. e.g.
  dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
  config: Fatal: Error in configuration file /Library/Server/Mail/Config/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set
  dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
  /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf shows commented out lines:
  ssl_cert
  ssl_key
  ssl_ca
  Solution:
  Go to the Certificates pane of the Server App  and choose Secure Services Using: Custom
  Set IMAP and POP server certificates to to None
  Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf
  Now set Secure Services Using: <My single SSL Certificate for all services>
  Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf and you should now see all the ssl* settings as you would expect, and pointing to the correct SSL certificate  in /etc/certificates
  Hope this works for you too!

  I had something similar happen. When I do anything with SSL certificates it deletes any regular websites. Only the sites that are setup for https are listed.
  Couldn't understand why my website wasn't working and it turned out that the system had deleted it. The web server had multiple host set and I had to rebuild all the ones that had used port 80. All the ones that use 443 were fine.
  Hope this helps.

• SSPR registration and reset started to fail after renewing the certificates

  Hi,
  On our FIM 2010 R2 environment (version 4.1.3599.0), after renewing the certificates used on FIM Service/Portal and Password Reset/Registration servers two days back, both the password registration and reset no longer work but instead fails on the  last
  step of the process. So for example when user browse to https://passwordreset.domain.com and fills in their domain\username and click next, FIM will send a security code (SMS OTP) to user´s mobile phone and once user then fills in code and click Next, the
  Communication error 3008 is shown to user. Same happens in the last step of the registration where user reviews that the mobile number is correct before clicking finally next. Once clicked the same error as is with Reset portal is shown to user. 
  Other changes than renewing the certificates have not been done to the environment after it was working last time two days ago. Synchronization of users/groups create in FIM Portal works normally towards AD.
  All servers within FIM environment are on same domain and subnet and firewall is off on all servers.
  The following error message as an example is recorded on FIM app log on either of the SSPR servers (two in NLB):
  The error page was displayed to the user.
  Details:
  Title: Communication Error
  Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
  Source: 
  Attributes: 
  Details: Microsoft.IdentityManagement.CredentialManagement.Portal.Exceptions.GenericCommunicationException: An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration.
  This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.ServiceModel.CommunicationException:
  An error occurred while receiving the HTTP response to http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an
  HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException:
  Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
  The following error message as an example is recorded on FIM app log on either of the FIM Service/Portal servers (two in NLB):
  Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.TokenIssuer.IssueSecurityToken(Message requestMessage, Object request, Claim[] claims)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.Challenger.IssueAuthenticationChallenge(Message requestMessage, Object requestBody, Nullable`1 requestContext, UniqueIdentifier authenticationProcessIdentifier, List`1 accumulatedClaims,
  Nullable`1& currentWorkflowInstanceIdentifier, AuthenticationChallengeType[]& currentChallenges)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.ProcessRequest(Message requestMessage, Object requestBody)
     at Microsoft.ResourceManagement.WebServices.SecurityTokenService.RequestSecurityTokenResponse(Message requestMessage)
  Both http://fimservice.domain.com:5726 or http://fimservice.domain.com:5725 can be accessed ok using web browser from the SSPR servers. The url of http://fimservice.domain.com:5726/ResourceManagementService/SecurityTokenService/Registration gives http 400 bad
  request which is ok.
  At least the following fixes provided on urls below have been tried out or were in place already but did not fix the issue:
  http://social.technet.microsoft.com/wiki/contents/articles/24629.fim-troubleshooting-sspr-registration-error-3008-an-error-occurred-while-receiving-the-http-response.aspx
  https://social.technet.microsoft.com/Forums/en-US/ae16496e-413a-45b7-a0d1-b39652c6478a/fim-password-registration-portal-error-3008-communication-error?forum=ilm2 (we have exactly the same three errors on FIM app log as mentioned in this post)
  https://social.technet.microsoft.com/Forums/en-US/aa14cff7-6b93-4413-8c75-737dd08bd25f/error-when-resetting-password-on-sspr?forum=ilm2
  https://social.technet.microsoft.com/Forums/en-US/aab6d5ef-667a-4ea9-876d-415c56852da9/sspr-password-reset-failure?forum=ilm2 (no such lines on FIMService config files)
  Can anyone help us with this and provide some tips what to check next on the environment? As the most weird thing here is that everything was working just fine before the certificates were renewed on all servers and no other changes were done on the environment. 
  -Pappa75

  Hi,
  Have you Stop-Start the FIM Service? If not then try this after performing this step. Also, there may be a possibility that the service won't be able to start if there is issue with the certificate.
  The SSPR issue is related to certificate only, which might have some missmatch in the thumbprint value or some other problem.
  If there is a problem with thumbprint of certificate, then you might see error in the Event Viewer and which can be resolved by making the certificate's thumbprint same within registry.
  Regards,
  Manuj Khurana

• Why do I keep getting "Error getting push certificate" when trying to enable Profile Manager

  I keep getting this stupid error message!  The Stupid Workgroup manager doesn't work! Won't allow me to do anything!  What is the point in that! Sorry, just having a rant as I have just purchased this server which I can't do anything with.  Can't get Profile Manager working because I keep getting error getting push certificate and cannot associate any user with a group.  I can delete groups and users from AD but just wont allow me to create anything.  The padlock is open so am authenticated.  WHAT IS GOING ON WITH APPLE!

  And do you know what is really sad, 3 hours later and I am still waiting for a confirmation email from Apple.  No wonder the UK use mostly Windows!

• Renew Machine Certificate for multiple Servers

  Hi,
  We have Windows 2003 Enterprise CA which issues certificates to servers which are used for various purpose like Wifi Authentication, Secure RDP. We have checked that the certificates are going to expire within few weeks. We want to renew certificates before
  expiry but the number of servers is high so we cannot do it manually by logging into each server.
  We doesn't have ACRS enabled for computer certificates and even if we configure it now that will not help.
  Is there a way to renew the certificates for all the servers remotely.

  On Tue, 15 Apr 2014 11:39:43 +0000, Sukhwin08 wrote:
  We already have auto-enrolment enabled through GPO. The settings are as follows
  Automatic certificate management........ Enabled Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates .........Enabled
  Update and manage certificates that use certificate templates from Active Directory ..........Enabled
  I think that you're confusing Automatic Certificate Request Services and
  autoenrollment. In your first post in this thread you mention ACRS, however
  the above settings are for autoenrollment. ACRS is only for certificates
  that are based upon V1 certificate templates and then only for machine
  certificates. Autoenrollment on the other hand does not work for anything
  less than V2 certificates and supports both machine and user certificates.
  If you're using V1 certificate templates then you can set autoenrollment
  settings in a GPO and it will not have any impact at all.
  Paul Adare - FIM CM MVP
  Remember the signs in restaurants "We reserve the right to refuse
  service to anyone"? The spammers twist it around to say "we reserve
  the right to serve refuse to anyone." -- SPAMJAMR & Blackthorn in nanae

• How to revoke mac os x  server push certificates?????

  I am trying to clean up my purchsed copy of Lion Server.  After I drag the os X server application to the trash and go to the apple store where I purchased Lion server for my mac it says that Server is already installed on my computer and the transaction cannot be completed.  So then I decided to try and delete the push certificates I created and when I try to revoke them it takes me to a screen that says "False" and I can't seem to revoke these certificats
  How can you get them revoked.  I am just learning by trial and error.  Any suggestions would be appreciated.  Thanks
  BG

  That page talks about Snow Leopard's Networking abilities, not Leopards.
  Off hand, I don't know whether what you describe is a new feature in Snow Leopard or not, but I've never seen Leopard do it (and, to be honest, wouldn't want to).
  In either case, it's basically just Bonjour telling the router to configure port forwarding. Given that, I'd start by enabling mod_bonjour in Apache:
  #LoadModule bonjour_module libexec/apache2/mod_bonjour.so
  but I don't know how other processes are doing it.

• P12 push certificates problem

  Hello,
  we're currently facing a problem while trying to download a new viewer ipa/zip: while we've already installed the p12 push certificates through "notifications" panel with no errors -therefore assuming they are valid-, when back to the DPS App Builder the download links are still asking for the p12 certificates :-/ Is there any reported bug/workaround on this?
  Thank you for your assistance.

  App Builder is asking you for the certificates to sign the app, not the certificates for push notifications. They're separate certificates.
  Neil

• Wrong Pin error while renewing SAprouter certificate

  Hi,
  i tried renewing Saprouter certificate from marketplace.
  while installing the certificate using the command below, we get the following error.
  E:\usr\sap\saprouter>sapgenpse import_own_cert -c srcert.txt -p local.pse
  import_own_cert: Couldn't open PSE "E:\usr\sap\saprouter\local.pse"
  ERROR in af_open: (1824/0x0720) Wrong PIN for PSE
  ERROR in secsw_open: (1824/0x0720) Wrong PIN for PSE
  ERROR in sec_parse_PSEInfo_cont: (1824/0x0720) Wrong PIN for PSE
  Please suggest a solution for this issue. Is there any command to install the certificate by providing the PIN which we have given while generating local.PSE file.
  Thank you.

  Hi Mamta,
  Did you goted the solution as mark issue.
  If yes kindly share the solution, i am getting same issue.
  Waiting for ur reply.
  Thanks
  Santosh

• Error while uploading Push Certificates into DPS Pannel

  Hello,
  i've been trying to upload Push Certificates (they're p.12 exported via keytool) but when submitting them into dps notification panel i get the error of invalid push (dev & dist) certificate. Why can this be?

  It means your certificates are invalid. Are you sure they have a valid start and end expiration date? If you can't figure it out call enterprise support for assistance. You can find contact information by logging into http://digitalpublishing.acrobat.com/ and looking at the bottom middle of the screen for the support contact link.
  Neil

• Automatic renewal of certificates through CEP / CES.

  We currently have a PKI on Windows 2008 R2 and in this case as customers use notebooks with Windows 7 SP1.
  I have problem with the automatic renewal of computer certificate through CEP / CES.
  Services CEP / CES are installed on the same server, the CA is in another server.
  You want to automatically renew computer certificate through Internet.
  These services are configured to only computer certificate renewal and renovation to allow authentication using a certificate previously issued to PC.
  The first computer certificate is issued automatically through the settings in Group Policy in Active Directory, then the team has its certificate is configured PC Local Group Policy to configure the server URL CEP / CES.
  I have no problem when I do the renewal through the MMC, only occurs when the team wants it done automatically.
  Error events are:
  Event ID 68
  Certificate enrollment for Local system failed in authentication to policy servers with ID  {6ADBCC41-F91F-405C-88EC-4FEF12CF7FCF} 
  (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790))
  Event ID 67
  Certificate enrollment for Local system failed to load policy from policy servers with ID  {6ADBCC41-F91F-405C-88EC-4FEF12CF7FCF} 
  (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790))
  Event ID 6
  Automatic Certificate enrollment for Local system failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
  The documentation used to install CEP / CES is:
  http://www.microsoft.com/en-us/download/details.aspx?id=1746
  I thank anyone who can guide me with this problem.
  Greetings.

  Hi,
  I think "Auto Renewal of certificates through Internet (CEP / CES)" is a new feature in ADCS of Windows 2012. Not sure whether it can be realized in Server 2008.
  Anyway, here are two links which might be useful to you:
  Enabling CEP and CES for enrolling non-domain joined computers for certificates
  http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
  So anybody got autoenrollment working for CES on non-domain-joined computer?
  http://www.networksteve.com/forum/topic.php/So_anybody_got_autoenrollment_working_for_CES_on_non-domain-join/?TopicId=28451&Posts=2
  Niko