Languages

OS X Server: Renewing Profile Manager's code signing certificate

When using the default self-signed certificate and code signing certificate in OS X Server, the code signing certificate occasionally needs to be renewed before expiration.

 

Before you begin

The quotation marks used in terminal commands article are "straight" quotes. Some web browsers, email applications and text editors may automatically convert these marks to smart (curly) quotes. It's important to use straight quotes when entering the commands from this article in Terminal.app. In geographic regions where diacritical marks are used in the name of the certificate, smart quotes can cause certadmin to report that the certificate can't be found.

OS X Mavericks

With OS X Mavericks, you receive an alert in Server.app 30 days before the certificate expires. Afterwards, an alert is shown in Server.app once a day until the certificate is renewed. The alert includes a Renew button that allows you to renew the certificate. 

OS X Lion and OS X Mountain Lion

For OS X Lion and OS X Mountain Lion, follow the procedure below to renew the certificate.

To prepare for renewing the certificate, you'll need to gather some information first. You will need:

  1. The full Common Name of the code signing certificate.
  2. The full Common Name of the issuer.
  3. The certificate serial number in hexadecimal.

To get the full Common Name of the code signing certificate:

  1. Open /Applications/Utilities/Keychain Access.app.
  2. On the left under Keychains, select the System keychain.
  3. Find your code signing certificate. It should be named in the format of "myserver.mydomain.com Code Signing Certificate" where "myserver.mydomain.com" will be the Fully Qualified Domain Name (FQDN) of your server You should see two entries, where one is the private key and one is the actual certificate Double click the certificate.
  4. Under Details, locate the section named "Subject Name" In the "Subject Name" section, locate the Common Name field which should be identical to the name of the certificate in the list from step 3 Make note of the full name, including capitalization, spaces, and punctuation.

To get the full Common Name of the issuer:

  1. Looking at the same certificate details, locate the section titled "Issuer Name" Locate the Common Name field directly below that The Issuer Common Name should be in the following format:  "IntermediateCA_MYSERVER.MYDOMAIN.COM_1"
    ...where "MYSERVER.MYDOMAIN.COM" will be the FQDN of your server Make note of the full name, including capitalization, spaces, and punctuation.

To get the certificate serial number in hexadecimal:

  1. Looking at the same certificate details, in the "Issuer Name" section, you should see a Serial Number field Make note of the serial number, which is in decimal format.
  2. Open /Applications/Calculator.app
  3. In Calculator, choose View > Programmer to change to programmer mode.
  4. Immediately below and to the right of the Calculator numeric display are buttons labeled "8", "10", and "16" Click the "10" button to make sure the Calculator is in decimal mode.
  5. Enter the serial number you found in step 1, for example, "6745963548".
  6. Click the "16" button to convert to hexadecimal The resulting number will be in the format of "0x192173C1C" Disregard the leading "0x" and make note of the rest of the number.

To renew the code signing certificate in OS X Lion:

  1. Open /Applications/Utilities/Terminal.app.
  2. Enter the following command using the information gathered above. When entering the hexadecimal serial number, ensure that all letters are entered in lower case.
    sudo /usr/sbin/certadmin --recreate-CA-signed-certificate "myserver.mydomain.com Code Signing Certificate" "IntermediateCA_MYSERVER.MYDOMAIN.COM_1" 192173c1c

To renew the code signing certificate in OS X Mountain Lion:

  1. Open /Applications/Utilities/Terminal.app.
  2. Enter the following command using the information gathered above. When entering the hexadecimal serial number, ensure that all letters are entered in lower case.
    sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate "myserver.mydomain.com Code Signing Certificate" "IntermediateCA_MYSERVER.MYDOMAIN.COM_1" 192173c1c

To make sure Profile Manager is using the new certificate:

  1. Open /Applications/Server.app.
  2. Under Services, click Profile Manager.
  3. Switch Profile Manager off.
  4. Next to "Sign configuration profiles" click the Edit button.
  5. From the Certificate list, select the certificate named "myserver.mydomain.com Code Signing Certificate - myserver.mydomain.com OD Intermediate CA" which should be the only listed certificate.
  6. Click OK.
  7. Turn on Profile Manager.

iOS information

iOS does not accept updates through Profile Manager after renewing the code signing certificate. For each iOS device using Profile Manager, remove the Trust Profile and Enrollment Profile in Settings > General > Profiles. Then, navigate to the Profile Manager User Portal at https://myserver.mydomain.com/mydevices to install the current Trust Profile and re-enroll the device.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Last Modified: Jul 1, 2014
Helpful?
Yes
No
  • Last Modified: Jul 1, 2014
  • Article: HT5358
  • Views:

    null

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked