OS X Server: Renewing Profile Manager's code signing certificate
When using the default self-signed certificate and code signing certificate in OS X Server, the code signing certificate will occasionally need to be renewed before expiration.
With OS X Mountain Lion, you receive an alert in Server.app 30 days before the certificate expires. Afterwards, an alert is shown in Server.app once a day until the certificate is renewed. The alert includes a Renew button that allows you to renew the certificate.
For Lion Server, follow the procedure below to renew the certificate.
To prepare for renewing the certificate, you'll need to gather some information first. You will need:
- The full Common Name of the code signing certificate.
- The full Common Name of the Issuer.
- The certificate serial number in hexadecimal.
To get the full Common Name of the code signing certificate:
- Open /Applications/Utilities/Keychain Access.app.
- On the left under Keychains, select the System keychain.
- Find your code signing certificate. It should be named in the format of "myserver.mydomain.com Code Signing Certificate" where "myserver.mydomain.com" will be the Fully Qualified Domain Name (FQDN) of your server. You should see two entries, where one is the private key and one is the actual certificate. Double click the certificate.
- Under Details, locate the section named "Subject Name". In the "Subject Name" section, locate the Common Name field which should be identical to the name of the certificate in the list from step 3. Make note of the full name, including capitalization, spaces, and punctuation.
To get the full Common Name of the issuer:
- Looking at the same certificate details, locate the section titled "Issuer Name". Locate the Common Name field directly below that. The Issuer Common Name should be in the following format: "IntermediateCA_MYSERVER.MYDOMAIN.COM_1"
...where "MYSERVER.MYDOMAIN.COM" will be the FQDN of your server. Make note of the full name, including capitalization, spaces, and punctuation.
To get the certificate serial number in hexadecimal:
- Looking at the same certificate details, in the "Issuer Name" section, you should see a Serial Number field. Make note of the serial number, which is in decimal format.
- Open /Applications/Calculator.app
- In Calculator, choose View > Programmer to change to programmer mode.
- Immediately below and to the right of the Calculator numeric display are buttons labeled "8", "10", and "16". Click the "10" button to make sure the Calculator is in decimal mode.
- Enter the serial number you found in step 1, for example, "6745963548".
- Click the "16" button to convert to hexadecimal. The resulting number will be in the format of "0x192173C1C". Disregard the leading "0x" and make note of the rest of the number.
To renew the code signing certificate:
- Open /Applications/Utilities/Terminal.app.
- Enter the following command using the information gathered above. When entering the hexadecimal serial number, ensure that all letters are entered in lower case.
sudo /usr/sbin/certadmin --recreate-CA-signed-certificate "myserver.mydomain.com Code Signing Certificate" "IntermediateCA_MYSERVER.MYDOMAIN.COM_1" 192173c1c
To ensure Profile Manager is using the new certificate:
- Open /Applications/Server.app.
- Under Services, click Profile Manager.
- Switch Profile Manager off.
- Next to "Sign configuration profiles" click the Edit button.
- From the Certificate list, select the certificate named "myserver.mydomain.com Code Signing Certificate - myserver.mydomain.com OD Intermediate CA" which should be the only listed certificate.
- Click OK.
- Turn on Profile Manager.
Currently, iOS will not accept updates through Profile Manager after renewing the code signing certificate. For each iOS device using Profile Manager, they will need to remove the Trust Profile and Enrollment Profile in Settings > General > Profiles, and then navigate to the Profile Manager User Portal at https://myserver.mydomain.com/mydevices to install the current Trust Profile and re-enroll the device.