OS X Server: Renewing Profile Manager's code signing certificate

When using the default self-signed certificate and code signing certificate in OS X Server, the code signing certificate will occasionally need to be renewed before expiration.

With OS X Mountain Lion, you receive an alert in 30 days before the certificate expires. Afterwards, an alert is shown in once a day until the certificate is renewed. The alert includes a Renew button that allows you to renew the certificate. 

For Lion Server, follow the procedure below to renew the certificate.

To prepare for renewing the certificate, you'll need to gather some information first. You will need:

  1. The full Common Name of the code signing certificate.
  2. The full Common Name of the Issuer.
  3. The certificate serial number in hexadecimal.

To get the full Common Name of the code signing certificate:

  1. Open /Applications/Utilities/Keychain
  2. On the left under Keychains, select the System keychain.
  3. Find your code signing certificate.  It should be named in the format of " Code Signing Certificate" where "" will be the Fully Qualified Domain Name (FQDN) of your server.  You should see two entries, where one is the private key and one is the actual certificate.  Double click the certificate.
  4. Under Details, locate the section named "Subject Name".  In the "Subject Name" section, locate the Common Name field which should be identical to the name of the certificate in the list from step 3.  Make note of the full name, including capitalization, spaces, and punctuation.

To get the full Common Name of the issuer:

  1. Looking at the same certificate details, locate the section titled "Issuer Name".  Locate the Common Name field directly below that.  The Issuer Common Name should be in the following format:  "IntermediateCA_MYSERVER.MYDOMAIN.COM_1"
    ...where "MYSERVER.MYDOMAIN.COM" will be the FQDN of your server.  Make note of the full name, including capitalization, spaces, and punctuation.

To get the certificate serial number in hexadecimal:

  1. Looking at the same certificate details, in the "Issuer Name" section, you should see a Serial Number field.  Make note of the serial number, which is in decimal format.
  2. Open /Applications/
  3. In Calculator, choose View > Programmer to change to programmer mode.
  4. Immediately below and to the right of the Calculator numeric display are buttons labeled "8", "10", and "16".  Click the "10" button to make sure the Calculator is in decimal mode.
  5. Enter the serial number you found in step 1, for example, "6745963548".
  6. Click the "16" button to convert to hexadecimal.  The resulting number will be in the format of "0x192173C1C".  Disregard the leading "0x" and make note of the rest of the number.

To renew the code signing certificate:

  1. Open /Applications/Utilities/
  2. Enter the following command using the information gathered above. When entering the hexadecimal serial number, ensure that all letters are entered in lower case.
    sudo /usr/sbin/certadmin --recreate-CA-signed-certificate " Code Signing Certificate" "IntermediateCA_MYSERVER.MYDOMAIN.COM_1" 192173c1c

To ensure Profile Manager is using the new certificate:

  1. Open /Applications/
  2. Under Services, click Profile Manager.
  3. Switch Profile Manager off.
  4. Next to "Sign configuration profiles" click the Edit button.
  5. From the Certificate list, select the certificate named " Code Signing Certificate - OD Intermediate CA" which should be the only listed certificate.
  6. Click OK.
  7. Turn on Profile Manager.

Additional Information

Currently, iOS will not accept updates through Profile Manager after renewing the code signing certificate. For each iOS device using Profile Manager, they will need to remove the Trust Profile and Enrollment Profile in Settings > General > Profiles, and then navigate to the Profile Manager User Portal at to install the current Trust Profile and re-enroll the device.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Last Modified: Mar 25, 2013
Not helpful Somewhat helpful Helpful Very helpful Solved my problem
Print this page
  • Last Modified: Mar 25, 2013
  • Article: HT5358
  • Views:

  • Rating:
    • 60.0

    (463 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked