SSL/Code Signing Certs. Vanished!?!?

ever since i have upgrade to OS X 10.10 and OS X Server 4 i have been experiencing random problems. 2 Days ago my server alerted me saying there were no valid certificates, and its falling back to a fallback SSL certificate. I have no idea what happened. I went to my keychain access and i have all certificates listed. I am not to familiar with OS X Server, I've only had it since June 2014. I have tried to create certificates and Server tells me it fails. Also since the upgrade i have felt my Open Directory has been acting up. I say this because network users are not showing up on any computers anymore. I can't turn on Profile Manager anymore. I have no code signing certificates either. Also ever since the upgrade i haven't been able to access websites outside of my network. I also couldn't add them to the access. Some services are only available at .local, some are available at my ISP IP, and some are available at my FQDN...I don't understand what has happened since the upgrade as i felt everything went fine. oh and also since the upgrade, it doesn't look like my server has been backing up which really ****** me off! Any help will be most helpful.

Unfortunately, I don't exactly have an answer, but for what it's worth: This happened to me as well after I removed an existing OD Master from my Server after I upgraded to Server v4 and OD was behaving badly. After I destroyed the OD, suddenly the certificate was just deleted from /etc/certificates as well as the System keychain – although it was configured to secure all other services as well!
I wasn't able to import the files from a Time Machine backup either, since I didn't export them to .pk12 before. You might have luck with reimporting your certificates from a Backup (path/to/tm-backup-HDD-root/etc/certificates/your-server-hostname.longstringgib berish.pem-or-key) using the command in this thread: http://superuser.com/a/846313 (original answer: http://stackoverflow.com/questions/8874164/export-public-key-from-keychain-acces s/11979625#11979625)
BUT: They only talk about importing certs you previously exported with Keychain, so I don't know if it'll work with the files from /etc/certificates.
So a piece of advice for the future: Before upgrading/updating your Server, export your SSL certificates to .pk12 so you can re-import them to the System keychain. I ended up restoring the Server from a backup from 2 hours before the certs vanished – which produced a whole lot of other problems. Upgrading to Server v4 seems as buggy as previous upgrades …
/EDIT
I just re-read your post, and if the certs are still showing up in your System keychain (not the login!), this might do the trick already: OS X Server: Access Controls might prevent a certificate identity from working with Server services - Apple Support

Similar Messages

  • InCommon Code Signing Cert not working in Profile Manager

    We acquired a Code Signing Certificate from InCommon for signing profiles, and it doesn't want to work with Profile Manager.
    In the Certificates section we have our working SSL cert for the web server, and self-signed SSL and Code Signing certs.
    When I try to import the p7s file it lists four non-identity certificates and then says that it can't be used as a code signing certificate. 
    Has anyone ever managed to get an InCommon code signing cert to work with OSX Server?

    Hello,
    In RFC SAP-OSS, i maintained my S-user id and its password.
    As already told my router connectivity and   SAPOSS rfc working fine.
    regards
    Vinayag.K.C

  • Code signing cert error using Digicert - Unable to build a valid certificate chain for the signer

    Steps to fix this error on code signing adobe air using .p12 cert from Digicert - Unable to build a valid certificate chain for the signer
    a. Open Firefox and browse to https://www.digicert.com/digicert-root-certificates.htm
    b. On the middle of the page, download -
    DigiCert Assured ID Code Signing CA-1
    Valid until: 10/Feb/2026
    Serial #: 07:F4:73:6F:AF:EF:40:8A:1F:66:40:F2:65:D1:0A:C1
    Thumbprint: B170A10819BEA936905D719E643399783E1F4567
    Download
    c. Install the cert in Firefox
    d. Once done, export again the code signing cert from digicert, through (click Firefox -> Preferences -> View Certificates -> HIghlight the digicert code signing cert -> click Backup)
    e. Done, the newly exported file should now have the valid certificate chain and that should fix the error "Unable to build a valid certificate chain for the signer"
    Even though this is from Digicert, this should also work for other Certificate Authority providers assuming you download your provider's root cert for code signing.
    Regards,
    Reigner S. Yrastorza

    Are you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
    If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
    If you are using RoboHelp, which version?
    See www.grainge.org for RoboHelp and Authoring tips
    @petergrainge

  • Can't access IBM mainframe 3270 session via SSL self-signed cert.

    Can't access IBM mainframe 3270 session via SSL self-signed cert since sometime last week. Using Mochasoft tn3270 lite on android works fine but iPad ios7 says "IBM mainframe has closed the session".  Any clues would be appreciated.

    I'm thinking the problem may be the IBM cert is 1024 bit. Investigating choices to implement 2048 bit cert into IBM.

  • About Profile manager renew code signing cert

    I am using the profile manager service in Mac OS X 10.7 Server.
    My code signing cert just got expired, and the serial no. is 1. So i followed the apple guide to renew the cert in terminal
    ipad:~ test$ sudo /usr/sbin/certadmin --recreate-CA-signed-certificate "ipad.example.com" "IntermediateCA_IPAD.EXAMPLE.COM_1" 1
    /usr/sbin/certadmin Cannot find the certificate: ipad.example.com
    I can renew the another one successfully but only this cannot renew, I don't know why (maybe related to the serial? too short?)
    Anyone know how to solve it?
    Thank you very much
    BTW, Any method can generate the cert for 10 years or renew the cert without re-enroll the device? because I don't want renew the cert every year and ask user enroll again.

    I am using the profile manager service in Mac OS X 10.7 Server.
    My code signing cert just got expired, and the serial no. is 1. So i followed the apple guide to renew the cert in terminal
    ipad:~ test$ sudo /usr/sbin/certadmin --recreate-CA-signed-certificate "ipad.example.com" "IntermediateCA_IPAD.EXAMPLE.COM_1" 1
    /usr/sbin/certadmin Cannot find the certificate: ipad.example.com
    I can renew the another one successfully but only this cannot renew, I don't know why (maybe related to the serial? too short?)
    Anyone know how to solve it?
    Thank you very much
    BTW, Any method can generate the cert for 10 years or renew the cert without re-enroll the device? because I don't want renew the cert every year and ask user enroll again.

  • JWS gives 'failed to parse certificate' error for VALID code sign cert

    Hi,
    For my application, After downloading jar files from web server, JWS (1.2.0_02) gives a Security Warning asking user to trust the Signer.
    However, after clicking Start, it gives another Security Warning which says this:
    Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.
    STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
    Sign App jar files with a VALID code signing certificate from Thawte or Verisign (don't use DST or RSA or any other CA as JWS supports only Versign/Thawte root CA entries by default).
    Download the app using JNLP, and you will see this warning.
    EXPECTED -
    It should not give the second security warning. First one is fine as user has to trust the signer.
    There are no logs anywhere to find out what error it encountered parsing the certificate.
    The certificate as such is valid, it was verified with keytool, openSSL and various other tools.
    ACTUAL -
    After downloading an application from web server, JWS gives a Security Warning asking user to trust the Signer.
    However, after clicking Start, it gives another Security Warning which says this:
    Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.
    ERROR MESSAGES/STACK TRACES THAT OCCUR :
    Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.

    Hello,
    I had the same problem. Here are some additional things to check:
    - every jar in your app MUST be signed by ONE and ONLY ONE certificate.
    - every jar which is presigned should be checked on its own. I had a bad bcprov.jar which nearly drove me nuts. Maybe there are more such 'presigned' jars around.
    One recipe aside:
    Try halfing down the jars in your jnlp file further and further, until it runs again, then you'll probably find the jar which causes this. I would bet a specific jar.
    There's another Bug already known which makes JWS fail on checking the certs on jars with classes which have national characters (even Inner ones!). So you might be checking that, too.
    Hope that helps...
    Patric

  • Mac C++ tool verifying code signing cert / signature

    I have a command line tool I have code signed using the "codesign" tool.  Using its -vv option it verifies that my code is indeed signed.  Now here is my problem, it doesn't tell me who signed it, ie: The name on the cert and stuff like that.  To complicate matters even further, I wish to be able to do this from a C++ application.  I want to look at a binary file, see that it is signed, and signed by us.  As a security measure I would like to only allow our application to update if the new files are signed by us.  I am having trouble locating any API which deals with this.  On the windows world there is an obscure API that allows me to do this.  I do not even know if such and API system exists in the Apple world since code signing is brand new introduced in 10.5.
    In addition to some API help, if there is a way to simply get information about who signed an executable (On windows you just right-click and pick properties) and you can get all sorts of information about the digital signature);  Is there something like this on a Mac?
    Thanks for any help I can get.

    Why would I do that?  I simply want to know, is the binary file I downloaded signed by with MY cert?  I can determine this within reasonable doubt by answering two simple questions:
    1.  Is the cert that this file signed with valid (chain of trust and all that).
    2.  What is the name of the cert (the identity).
    If the Identity is the right one (in our case, the name of our company) and it is valid, then I will trust that this binary is ours.
    Maybe this will clarify my question. I guess I could rephrase this question as:
    "How do I write a simple tool that will verify a file has a valid signature and will give me the signer's identity"?

  • Code Signing Cert for AIR and MSI

    If a Code Signing Certificate for AIR is purchased, can that same certificate be used when distributing the package using MSI?
    Or does it not matter as long as the AIR app is signed?

    No, this was a different problem that created similar symptoms.
    I just found out that, since Director 11.5, we can put the Xtras folder inside a projector. I was relying on outdated documentation, both online and in my mind, which said the xtras had to be next to the projector.
    Weirdly, putting the Xtras folder inside the Contents folder (inside the bare stub projector) solved the problem I was having: my sound was not functioning after I code signed the xtra that enables sound. Now it works fine.
    I also created an error when my projector's INI file set Movie01 to a Director movie in the same folder as the projector. Now I have it instead point to a movie in the Resources folder of the projector. So maybe I will just throw all my movies and supporting files in the Resources folder.
    I too am thinking of documenting the process, once I know customers are buying my app and using it successfully. Maybe I'll use screen recording to create a set of YouTube tutorials. That can spare others from this confusion and aggravation, and encourage people to buy the latest version of Director and update their old products. The more money that Adobe earns from Director, the more they will be encouraged to invest in developing Director further.
    If Apple will accept apps without receipt validation, that will certainly simplify things. I saw an Apple web page that stated it was mandatory, but that page has been changed. Maybe validation is optional but no longer required.
    For details, check this:
    https://developer.apple.com/library/mac/releasenotes/General/ValidateAppStoreReceipt/Intro duction.html
    but luckily there is source code out there that can be used to handle those technical details.
    I'm wondering how you applied your set of icons to your bare stub projector. Did you simply replace the projector.icns file? I created an error when I tried that.

  • How to generate csr for third party code signing cert?

    I've been reading about code signing, but can't see how to generate a csr to use with a third party CA. Does someone have a tutorial, link, suggestion?

    Hi,
    Here is an document which discussed on how to implement code signing with using third party certificate for you reference:
    http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/best_practices.doc
    For further suggestions, it is recommend you to get further support in the MSDN Forum so that you can get the most qualified pool of respondents.
    http://social.msdn.microsoft.com/forums/en-US/categories/
    Thanks
    Tiger Li 
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Adobe Pro 11.0.10 patch has expired code signing cert

    I can not patch my Adobe 11.0.0 installation to 11.0.10 using the automated process.
    I manually downloaded 11.0.10 from this location: http://ardownload.adobe.com/pub/adobe/acrobat/win/11.x/11.0.10/misc/AcrobatUpd11010.msp
    The MD5 of this MSP per my own check is 4cb5979f49bc5112731da0cce036ac66, while the SHA1 is 8b4130df183f69ab77f9f6748f2e535be5d3336e.
    This download is signed with a code signing certificate issued by Symantec Class 3 Extended Validation Code Signing CA.  The signature has a thumbprint of 111aa9b0c6da43594bb2ad3052567c12ef8d9607.  This certificate expires later this year.
    During the install I receive an error because it extracts a file to c:\config.msi which is code signed with a code signing certificate issued by Verisign Class 3 Code Signing 2010 CA.  The certificate has a thumbprint of 70d566df844f3e2d9ac31e518256e7b6f2de9272.  The certificate expired 9/20/2013.  Today is 5/4/2015.  The install fails on this file.
    The certificate thumbprint for the Verisign Class 3 Code Signing 2010 CA intermediate authority is 495847a93187cfb8c71f840cb7b41497ad95c64f.   This itself is signed by VeriSign Class 3 Public Primary Certification Authority - G5 having a thumbprint of 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5.
    The failing file with the invalid code signing certificate has an MD5 checksum of bddf785233f9d2b3ae43d72822fb74bc and SHA1 of 78e7e15c8baea3c6befc7336d153254777912bd4.  This appears to be amtlib.dll which is part of Adobe AMT Licensing.   These hashes are available on services such as Virus Total and Herd Protect.
    Would it be possible for Adobe to release a 11.0.11 patch that has this issue fixed?  
    Thank you,
    Edwin Davidson.

    Back up all data.
    Launch the Font Book application and validate all fonts. You must select the fonts in order to validate them. See the built-in help and this support article for instructions. If Font Book finds any issues, resolve them.
    From the application's menu bar, select
    File ▹ Restore Standard Fonts...
    You'll be prompted to confirm, and then to enter your administrator login password.
    Start up in safe mode to rebuild the font caches. Restart as usual and test.
    Note: If FileVault is enabled, or if a firmware password is set, or if the startup volume is a Fusion Drive or a software RAID, you can’t start in safe mode. In that case, ask for instructions.
    Also note that if you deactivate or remove any built-in fonts, for instance by using a third-party font manager, the system may become unstable.

  • CSCuf51767 - AC v3.1.02043 WebLaunch Code Signing Cert Expired 2/7/13

    Any idea when the fixed code will be available?
    The latese code
    Release 3.1.03103
    was posted on April 1st

    Hi Joseph,
    This issue was tracked by bug CSCue49663, and the new certificate is part of the HostScan Engine version 3.0.11046 and Anyconnect 3.1.02043.
    More information on this issue is available here: 
    http://www.cisco.com/en/US/products/ps10884/products_tech_note09186a0080bfd91d.shtml

  • A PKI Code Signing Certificate question.

    Hello,
    Can someone please help me with the following question.
    I have created and used a code Signing certificate from our Microsoft Enterprise CA before which works OK, but I am not sure I did it correctly, and have a few related questions please.
    what I did.
    1: Logged on the CA directly, went to the CertSvc web site, requested a code signing cert, issued it and exported it along with the private key.
    2: Imported the above certificate into CurrentUser/My store on PC and used it to sign code
    3: Took the came certificate (along with the private key, and this is where perhaps I made at least one mistake) and imported it into the 'Trusted Publishers' store the PC that will be running the signed code. This step was done so the user does not receive
    a message asking if they want to run the code signed by "AAnotherUser" as it were, as although the code is signed by a trusted CA, the user still gets this warning message as the 'Publisher' is not in the 'Trusted Publishers' list. Therefore the
    way I sorted this at the time was to take the whole certificate as above and import to this store.
    The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store? in other words should I have imported the certificate 'minus its
    private key' into the trusted publishers store?
    Also, I understand you have to have the certificate along with is private key to sign code. I am 'assuming' a Hash of the code is taken and this is signed (encrypted) with the private key (in the same way a CA signs a CSR for a WEBServer cert for example),
    is that correct i.e. is that what it mean to sign code?
    if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same value.
    Is this correct?
    My next question is regarding the private key. As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
    if the above is possible (which would make good sense to me I think) then I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me. It would also mean which every computer I logon to in the domain I would
    have access to the private key (but no other user) and therefore be able to sign code I assume. Does this last paragraph make sense can this be done/is this done?
    Basically I need to understand the above, in order to understand more about Crypto.
    I also need create a code signing cert for a 'department' of about 10 people. Therefore I was thinking about creating and AD account called 'XYZCorpCodeSigning' or what ever, and issuing a code singing cert to this entity. If the private key could be stored
    in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure, I think.
    I know there are several question above, but it would be great it they would be answered as I would help me understand more about how it all works and to solve a problem too
    Thanks very much
    AAnotherUser__
    AAnotherUser__

    > The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store
    yes, it is not correct. Only public part should be imported to a Trusted Publishers container.
    >  is that correct i.e. is that what it mean to sign code
    exactly. Encryption with private key and decrypting with public key is called "digital signature".
    > if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same
    value. Is this correct?
    yes. Client uses only public part of the certificate to validate the signature.
    > As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
    normally code signing certificates are not stored in Active Directory and should not be there, because signing certificate is included in the signature field.
    > I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me.
    this is wrong assumption. A user is responsible to protect signing private key from unauthorized use.
    > If the private key could be stored in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure
    wouldn't, because if something happens -- you will never know who compromised the key.
    as a general practice, we recommend to purchase at least few smart cards to store signing keys. Depending on a particular code development practice, there might be a dedicated employee (for example, manager of devs) who the only has access to a smart card
    (and PIN) and signs the code upon dev request. Or issue a dedicated smart card with unique signing certificate to each developer. However this will add a complexity in signing certificate trust management.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • Configuration Profile Code-Signing Certificates

    Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.
    I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.
    How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

    You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.
    ** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.
    ** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

  • ADT error with comodo code signing certificate

    Hello,
    I'm trying to sign an AIR app with a Comodo code signing cert.
    - SHA-256 with RSA Encryption
    - Java 1.8 (same problem with 1.6)
    - AIR 15 (same problem with older versions)
    My command :
    java -jar -Xmx1024m /data/sdk/AIRSDK_Compiler15/lib/adt.jar  -sign -storetype pkcs12 -storepass ******* -keystore cert/air-distrib.p12 bin-release/TestCert.airi bin-release/TestCert.air
    I get the following error :
    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
        at java.util.Arrays.copyOf(Arrays.java:3181)
        at java.util.ArrayList.grow(ArrayList.java:261)
        at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:235)
        at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:227)
        at java.util.ArrayList.add(ArrayList.java:458)
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2026)
        at java.security.KeyStore.load(KeyStore.java:1433)
        at com.adobe.ucf.UCF.processSigningOptions(UCF.java:313)
        at com.adobe.ucf.UCF.parseSigningOptions(UCF.java:298)
        at com.adobe.air.ADT.parseSign(ADT.java:1589)
        at com.adobe.air.ADT.parseArgsAndGo(ADT.java:598)
        at com.adobe.air.ADT.run(ADT.java:435)
        at com.adobe.air.ADT.main(ADT.java:485)
    When i increase java memory at 8go, java uses 6go and don't stop... (nothing after 20 minutes...)
    Any idea ?
    ADT or cert problem ? Other ?
    Thx.
    Jonas

    Yeah !
    The certificate was generated in firefox...
    Import it into IE and regenerate the certificate fixed the problem
    Jonas

  • Renew my code sign certificate?

    I run a Mavericks server that serves profile manager, file, and time machine services. My code sign cert expires in a couple weeks. When you go into Server.app > Certificates and double click on it, there isn't a "Renew" button like there is for other certs I've renewed.
    How would I renew this? And what impact would it have on my running services (ie. would I have to re-enroll everyone in profile manager)? Thank you.

    Does OS X Server: Renewing Profile Manager's code signing certificate - Apple Support help?

Maybe you are looking for