OS X Server: Renewing Profile Manager's code signing certificate
When using the default self-signed certificate and code signing certificate in OS X Server, the code signing certificate occasionally needs to be renewed before expiration.
Before you begin
The quotation marks used in terminal commands article are "straight" quotes. Some web browsers, email applications and text editors may automatically convert these marks to smart (curly) quotes. It's important to use straight quotes when entering the commands from this article in Terminal.app. In geographic regions where diacritical marks are used in the name of the certificate, smart quotes can cause certadmin to report that the certificate can't be found.
OS X Mavericks
With OS X Mavericks, you receive an alert in Server.app 30 days before the certificate expires. Afterwards, an alert is shown in Server.app once a day until the certificate is renewed. The alert includes a Renew button that allows you to renew the certificate.
OS X Lion and OS X Mountain Lion
For OS X Lion and OS X Mountain Lion, follow the procedure below to renew the certificate.
To prepare for renewing the certificate, you'll need to gather some information first. You will need:
The full Common Name of the code signing certificate.
The full Common Name of the issuer.
The certificate serial number in hexadecimal.
To get the full Common Name of the code signing certificate:
Open /Applications/Utilities/Keychain Access.app.
On the left under Keychains, select the System keychain.
Find your code signing certificate. It should be named in the format of "myserver.mydomain.com Code Signing Certificate" where "myserver.mydomain.com" will be the Fully Qualified Domain Name (FQDN) of your server. You should see two entries, where one is the private key and one is the actual certificate. Double click the certificate.
Under Details, locate the section named "Subject Name". In the "Subject Name" section, locate the Common Name field which should be identical to the name of the certificate in the list from step 3. Make note of the full name, including capitalization, spaces, and punctuation.
To get the full Common Name of the issuer:
Looking at the same certificate details, locate the section titled "Issuer Name". Locate the Common Name field directly below that. The Issuer Common Name should be in the following format: "IntermediateCA_MYSERVER.MYDOMAIN.COM_1"
...where "MYSERVER.MYDOMAIN.COM" will be the FQDN of your server. Make note of the full name, including capitalization, spaces, and punctuation.
To get the certificate serial number in hexadecimal:
Looking at the same certificate details, in the "Issuer Name" section, you should see a Serial Number field Make note of the serial number, which is in decimal format.
Open /Applications/Calculator.app
In Calculator, choose View > Programmer to change to programmer mode.
Immediately below and to the right of the Calculator numeric display are buttons labeled "8", "10", and "16" Click the "10" button to make sure the Calculator is in decimal mode.
Enter the serial number you found in step 1, for example, "6745963548".
Click the "16" button to convert to hexadecimal The resulting number will be in the format of "0x192173C1C" Disregard the leading "0x" and make note of the rest of the number.
To renew the code signing certificate in OS X Lion:
Open /Applications/Utilities/Terminal.app.
Enter the following command using the information gathered above. When entering the hexadecimal serial number, ensure that all letters are entered in lower case.
sudo /usr/sbin/certadmin —recreate-CA-signed-certificate "myserver.mydomain.com Code Signing Certificate" "IntermediateCA_MYSERVER.MYDOMAIN.COM_1" 192173c1c
To renew the code signing certificate in OS X Mountain Lion:
Open /Applications/Utilities/Terminal.app.
Enter the following command using the information gathered above. When entering the hexadecimal serial number, ensure that all letters are entered in lower case.
sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin —recreate-CA-signed-certificate "myserver.mydomain.com Code Signing Certificate" "IntermediateCA_MYSERVER.MYDOMAIN.COM_1" 192173c1c
To make sure Profile Manager is using the new certificate:
Open /Applications/Server.app.
Under Services, click Profile Manager.
Switch Profile Manager off.
Next to "Sign configuration profiles" click the Edit button.
From the Certificate list, select the certificate named "myserver.mydomain.com Code Signing Certificate - myserver.mydomain.com OD Intermediate CA" which should be the only listed certificate.
Click OK.
Turn on Profile Manager.
iOS information
iOS does not accept updates through Profile Manager after renewing the code signing certificate. For each iOS device using Profile Manager, remove the Trust Profile and Enrollment Profile in Settings > General > Profiles. Then, navigate to the Profile Manager User Portal at https://myserver.mydomain.com/mydevices to install the current Trust Profile and re-enroll the device.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.