OSX Server, Renewing Profile Managers code signing certificate

posted Dec 13, 2013, 8:53 PM by Ian Curtinsmith   [ updated Dec 13, 2013, 8:54 PM ]

Apple OSX Server uses a code signing certificate that is used for Profile Manager. 

Unfortunately you can't just use the inbuilt certificate interface panel that is built in to the OSX server GUI.

OS X server App will continually send you a reminder every day from 30 days prior to renewal.

Apple have an article on this at

However it fails to mention 2 very important points.

1) To renew the certificate Apple ask you to use in the terminal


However Apple have moved this command to :


2) When converting the serial number to Hexadecimal it MUST be in lower case.

If the serial number is left in upper case you will see the following error 

"/Applications/ Cannot find the certificate: XXXXXXXX"


Instructions to replace the code signing certificate as follows :

1. Open /Applications/Utilities/Keychain
2. On the left under Keychains, select the System keychain.
3. Find your code signing certificate.  It should be named in the format of " Code Signing Certificate" where "" will be the Fully Qualified Domain Name (FQDN) of your server.  You should see two entries, where one is the private key and one is the actual certificate.  Double click the certificate.
4. Under Details, locate the section named "Subject Name".  In the "Subject Name" section, locate the Common Name field which should be identical to the name of the certificate in the list from step 3.  Make note of the full name, including capitalization, spaces, and punctuation.

For me this was " Code Signing Certificate"

5. Looking at the same certificate details, locate the section titled "Issuer Name".  Locate the Common Name field directly below that.  The Issuer Common Name should be in the following format:  "IntermediateCA_MYSERVER.MYDOMAIN.COM_1"
...where "MYSERVER.MYDOMAIN.COM" will be the FQDN of your server.  Make note of the full name, including capitalization, spaces, and punctuation.

For me this was "IntermediateCA_SERVER01.SYSTEMC.COM.AU_1"

6. Looking at the same certificate details, in the "Issuer Name" section, you should see a Serial Number field.  Make note of the serial number, which is in decimal format.
7. Open /Applications/
8. In Calculator, choose View > Programmer to change to programmer mode.
9. Immediately below and to the right of the Calculator numeric display are buttons labeled "8", "10", and "16".  Click the "10" button to make sure the Calculator is in decimal mode.
10. Enter the serial number you found in step 1, for me this was, "2790369765".
11. Click the "16" button to convert to hexadecimal.  The resulting number will be in the format of "0xA651A9E5".  Disregard the leading "0x" and make note of the rest of the number. (MAKING SURE you convert this number to lower case.

For me this was a651a9e5

12. Open /Applications/Utilities/
13. Enter the following command using the information gathered above. When entering the hexadecimal serial number, ensure that all letters are entered in lower case.

sudo /usr/sbin/certadmin --recreate-CA-signed-certificate " Code Signing Certificate" "IntermediateCA_SERVER01.SYSTEMC.COM.AU_1" a651a9e5

Sub your details collected above in the same locations using mine as an example

For those with latest version of OSX server will need to sub this for 

sudo /Applications/ --recreate-CA-signed-certificate " Code Signing Certificate" "IntermediateCA_SERVER01.SYSTEMC.COM.AU_1" a651a9e5

14. Open /Applications/
15. Under Services, click Profile Manager.
16. Switch Profile Manager off.
17. Next to "Sign configuration profiles" click the Edit button.
18. From the Certificate list, select the certificate named " Code Signing Certificate - OD Intermediate CA" which should be the only listed certificate.

This name will change depending on your certificate name

19. Click OK.
20. Turn on Profile Manager.

Crash Plan - Crashing during backup

posted Mar 9, 2013, 4:20 PM by Ian Curtinsmith

I noticed that on some of my large clients servers, crash plan keeps crashing. Somewhat symbolic in it's name :)

This not only happened in the front end GUI but also the backend.

and normally if the server had very very big backup sets of a few TB or more.

I reviewed the log files and have found that when crash plan runs it tries to compile a list of changes that have been made. If this catalog was very big it would crash.

If you stop crash plan

$ sudo launchctl unload /Library/LaunchDaemons/com.crashplan.engine.plist 


If you modify launchd item

$ sudo pico /Library/LaunchDaemons/com.crashplan.engine.plist

and modify the following string

<string>-Xmx512m</string> to <string>-Xmx3072m</string>

then restart the launchd item 

$ sudo launchctl load /Library/LaunchDaemons/com.crashplan.engine.plist

The backups will now work. What we have now done is allocate 3GB of memory to the application v’s the 512MB that were allocated to it originally.

Configure PPTP VPN on a Cyberoam UTM for iPhone, iPad, Mac, and Windows

posted Feb 15, 2013, 7:38 PM by Ian Curtinsmith   [ updated Feb 15, 2013, 7:44 PM ]

I should start this article by saying that if possible do not use PPTP VPN's and you should opt where possible for IPSEC vpn tunnels.

Security is a concern around PPTP vpn's and these can easily be cracked in minutes. 

YouTube Video

In fact there are now websites setup where people with no experience can pay others to crack the PPTP VPN password for you such as

The cyberoam UTM appliance can support Standard IPSEC VPN's that the Apple Mac iPhone and iPad and Desktop use and can even be configured to act as a Cisco VPN.

Establish an IPSec Connection Between Cyberoam and Cisco VPN Client 

Configure Apple iPhone for Cyberoam L2TP VPN Connection

However if required you can enable the Cyberoam to allow PPTP vpn connections

Configure Cyberoam to Establish PPTP connection using MS Windows 7 VPN Client

With the default configuration of PPTP VPN on the Cyberoam, only CHAP authentication is set.
The setup of PPTP on the Cyberoam UTM requires one hidden step to enable MS-CHAPv2 that is required for windows and Mac's to use a PPTP VPN connection.

Step 1 – Enable PPTP

1. In the GUI interface, go to VPN -> PPTP
Under General Configuration: choose the local LAN address to be used by PPTP
2. Choose the range to assign to PPTP users
Note: Do not specify the same IP address range in L2TP configuration and PPTP configuration.
3. Specify the DNS Servers to be used.
4. Click "Apply"


Step 2 – Set Encryption and Authentication Methods
1. Login to the CLI Console: By clicking Console in the top right corner OR logging in via Telnet or SSH
Choose Menu Option # 4

2. Now use the following syntax to set the encryption and authentication:

console> set vpn pptp authentication MS-CHAPv2 encryption STRONG

3. you can review the settings with the following command: 

console> show vpn configuration

Step 3 – Grant Users Logon access via PPTP

There are a few places to grant access to users:
A. Go to IDENTITY -> USERS and click the user you would like to grant PPTP access. Choose “Enable PPTP”.
B. Go to IDENTITY -> GROUPS and click the group you would like to grant PPTP access. Choose “Enable PPTP”.
C. Go to VPN -> PPTP and click “Add Member(s)” and Choose the ‘groups’ or ‘users’. And click Apply 

Review Users/Groups with PPTP access: 
Go to VPN—PPTP and click “Show PPTP Members” and Choose the ‘groups’ or ‘users’.

Diagnostics and Logging:

1. In CLI - 

console> cyberoam diagnostics show syslog

Choose View logs for “Authentication”

Create a USB Bootable Installer for VMware vSphere 5

posted May 26, 2012, 9:14 PM by Ian Curtinsmith   [ updated May 26, 2012, 9:51 PM ]

VMare vSphere Hypervisor (ESXi) is a free fully functional hypervisor that lets you virtualize your servers and run your applications in virtual machines.  More info at and documentation at

This blog is about creating a bootable Installer of ESXi that you can use to install on a computer. If you wish to install ESXi directly on USB thumb stick and boot from that then check out one of the following

At the time of this blog version 5.0 of ESXI was available and I created this on a Apple Mac running Operating system 10.7.

For a hardware compatibility guide check out

At the time of writing this the Apple servers running the Xeon 55xx processors are officially supported. Seems to be strong rumors that the new mac mini's will be officially supported with version 5.1 of esxi. Uu-officially it seems the i5 and i7 and Core 2 Duo apple hardware also seems to be working. There are some issues with old apple hardware with usb keyboard and mouse drivers. For the new mac mini you will need a custom Ethernet driver.

There is a nice write up installing this on a Apple Mac mini using a custom Ethernet driver at

Steps to create a Standard USB thumb stick ESXi Installer

Step 1 : Insert a USB thumb stick you want to use as your installer disk. You will loose ALL data on this USB thumb stick and it does not have to be very large 500MB will be fine.

Step 2: Download the installer
At the time of this blog the file I downloaded was called VMware-VMvisor-Installer-5.0.0.update01-623860.x86_64

Step 3 : Download UNetbootin from This is a great app that is available for Apple Mac, Windows and Linux and will save you lots of time

Step 4 : Launch the UNetbootin application downloaded in Step 3. Select Diskimage (ISO) and select your .iso file you downloaded in Step 2.

Step 4 : Choose type of USB Drive and select the USB thumb stick you inserted in Step 1

Step 5: Click OK and watch the bar move across your screen for a few minutes

That's it you are done. On some hardware platforms that you want to boot from a USB thumb stick you may need to modify the BIOS to boot from USB, this is refereed to as "UEFI" on some systems.  

Note : if you get a message "override menu.c32"  when running this then at the error prompt select no and it will drop into the shell "boot=" prompt. From here type "mboot" and it will work

Time Machine will not Backup

posted Feb 20, 2012, 1:09 AM by Ian Curtinsmith   [ updated Feb 20, 2012, 1:16 AM ]

I recently came across a strange issue with a computer running Apple 10.7 backing up to time machine running on a Apple 10.6 server

The machine when trying to backup always gave an error type 10. 


Time Machine could not complete the backup

The backup disk image “/Volumes/TimeMachine/xxxxxxxx.sparsebundle” could not be created (error 10)



1) Mount the time machine backup volume on your computer

2) Go to System Preferences on your Mac > Sharing and note down the COMPUTER-NAME

3) Open Applications / Utilities / Terminal program and type in: 

ifconfig en0 | grep ether

Note down the MAC-ADDRESS, Example 01:4a:d4:35:6c

4) Open Applications / Utilities / Disk Utility

5) Select the "New Image" option to create you new disk image and save it to your Desktop (sometimes Disk Utility does not like saving to a server so save to your desktop) and set the settings as

        * Name : Backup

        * Size : 100MB

* Format : Mac OS Extended (Case-sensitive, Journaled)

* Encryption : None

* Partitions : No partition map

* Image Format : sparse bundle disk image

* Where : Desktop

6) Choose "Save As" name as the "COMPUTER-NAME_MAC-ADDRESS.sparesebundle" using infor from point 2 and 3 above. For me it was "Laptop_014ad4356c"

7) Click Create and close Disk Utility

8) Now copy the newly created COMPUTER-NAME_MAC-ADDRESS.sparesebundle file to the time machine backup folder that you mounted in step 1 and re-run time machine backups

9) If the file already exists in this location by the name of COMPUTER-NAME or COMPUTER-NAME_MAC-ADDRESS you will need to delete the old one first. Note:// you are about to delete any old time machine backup

When I run this the first time 10.7 time machine actually renamed the file name from COMPUTER-NAME_MAC-ADDRESS to just COMPUTER-NAME.

Adobe CS5 will not run on Apple 10.7 Lion - Fix

posted Jan 8, 2012, 11:50 PM by Ian Curtinsmith

When you go to run an Adobe Application such as CS5 on your new 10.7 client it will not run and will ask you to install JAVA Runtime. 

Adobe have a article about this

The catch is the on some company networks that use a software update server this update may not be available yet

Solution : Download this directly from Apple. As of 9th January 2012 it was available from here.

I would suggest checking if a more recent JAVA runtime (JRE) is available if using this link in the future

OSX 10.7 lion server still uses port 80 and 443 even when not hosting websites

posted Dec 17, 2011, 7:13 PM by Ian Curtinsmith   [ updated Dec 17, 2011, 11:08 PM ]

So about now you have had no choice as that mac mini server you got will not run anything but 10.7 server and kicking and screaming you enter the world of 10.7 lion server.

Straight off the bat, if you don't have to run 10.7 server, don't ! There are major issue's and of this post "10.7.2 was out" so many things were not fit for production, not to mention the fact 10.7 server no longer does print services,  ftp, pptp vpn, mysql, tomcat, axis, or QTSS, Work around's for some of these perhaps in another post, but almost all require a high level of command line experience.

But I will concentrate on one of the shortfalls you will face. Apache which is the built in web service built into 10.7 lion server. The catch here is it is ALWAYS on. Even if you turn off web sharing in the server tools going to or will still give you a simple webpage. 

The issue here is that no matter what you do ports 80 and 443 are still in use. This becomes a very big issue when installing 3rd party programs on the server that need these ports. Examples include Filemaker Server with web-hosting or Kerio Connect that uses these ports for active-sync and webmail. These programs will not operate correctly as they will complain that the port is already in use.

Kerio have release a Knowledge base article at that tells you how to get around the problem

Simply put as of 10.7.2 server the only options you really have is to turn off the apache server on lion server via the terminal so that other programs will work that need these ports.

In the terminal program type 

sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

From that point on the pre-installed version on apache will no longer load at boot.

There are some big downside to this. Wiki's will no longer work, profile manager will not work, and you can't run any other websites on the server using Apples built in web service

If you ever need to reverse what you have done, in the terminal type

sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

There are other ways you can approach this, be no "real" solution

* Change the ports on the filemaker server or kerio mail server to a non standard port. But that means manually defining the ports when checking email or loading a website. Example Https to 8843

* Change the ports as above coupled with inbound port mapping on the firewall. Example, map port 443 on firewall to 8443 on the lion server. This has some drawbacks if your firewall can't do mapped IP's. That is if your firewall is using NAT to forward an port from the external IP of your firewall to the internal IP of your server and you can't type inside your network the external IP of the firewall and reach the internal IP being mapped to this will cause you issues. The end result may be external people can reach the mail server at but internal people on the local network can't so have to use https:/ This is not ideal at all as you don't want to reconfigure your mail program each time you leave the office

* Look at setting up a proxy server that forwards requests. This is actually a nice solution when you need apple's services to run as well, but it is not 100% working solution. Example includes Entourage that has issues sending email using port 443 behind a proxy. Someone has already created a nice how to guide here

* Manually modify the apache configs in lion and discontinue the use of any gui. See

Quick synopsis :

Currently you really only have 2 choices if you want to run 3rd party services such as Kerio Connect and won't it to 100% work

1) Turn off Apple's web service and no longer use Apple's services
2) Start brushing up on your hard core command lines and no longer use Apple's GUI interface and do everything from hand

If anyone else thinks it's strange that a server product that is far cheaper to purchase now and was meant to be pitched at the entry level mum and dad market share is now actually harder to setup and requires a far greater understanding of the way servers work, you are not alone :)

iPhone OS5 not showing Personal Hotspot

posted Nov 22, 2011, 4:52 PM by Ian Curtinsmith

If your iphone running OS5 is not allowing you to do internet tethering "AKA" Personal Hotspot

you will need to go to

then select Reset all Settings

Your iPhone will then reboot and the Personal Hotspot will now re-appear in General / Network

Note : you will loose all network settings and you will need to re-add any saved VPN or wifi settings

iPhone draining / running out of battery / power

posted Oct 29, 2011, 11:45 PM by Ian Curtinsmith   [ updated Dec 17, 2011, 7:16 PM ]

------ Update ------ 

Looks like the latest build of IOS for the iphone now fixed this problem

------ Finish update ------

There is an issue for iphone's running version 5 software on them, that drains the battery power of the iphone

Currently the software is leaving the location tracking services running in the background constantly and draining your battery

To stop this

* Click on "Settings"
* Click on "Services"
* Scroll to the bottom and select "System Services"
* Un-tick "Settings Time Zone" and turn if off (see pic)

Hopefully Apple should fix this in version 5.1

With this disabled if you travel into a different time zone you will have to manually change the date and time / time zone on your phone

DHCP load balancing / redundancy under OS X server

posted Oct 16, 2011, 2:50 AM by Ian Curtinsmith   [ updated Oct 16, 2011, 2:58 AM ]

How do I setup DHCP redundancy / load balancing so in the event of a Failure of one server the other one can do the job ?

There are a multiple ways to achieve this goal including setting up a 

* DHCP Cluster, see

* DHCP split scope, see

* Use "failover peer" support in DHCP failover using  RFC 3074

Yes I refered to microsoft above, get the info where it lies I say.

The easiest and cheapest solution that I would recommend is to setup a DHCP split scope. It does not require complex configurations or DHCP Cluster designs and you can do everything from the GUI with Apple OSX Server

Microsoft recommend a 80/20 rule for this, meaning one server distributes 80% of the DHCP pool and the other server distributes 20% of the DHCP pool.

My recommendation is a 100/100 rule ! Seriously why would you design your network so that in the event of a failure of the primary DHCP server only 20% of your machine can get on the network.  Internal IP ranges are free. It does not cost you any more to setup a IP range as it does to setup a or even a network

What that means is rather than your network having 254 IP's that it can use, configure it to be able to use 510 IP's all the way up to 16,777,214 IP's :)

This is really simple to do. Just configure 2 different servers to provide 2 completely different but complimentary IP ranges on the same network.

That's it !

When a computer on the network requests an IP address, whichever is the first DHCP server to respond back provides the IP for that machine. If one Server is slow to respond or under load or has used all it's available IP pool or has failed, the other server's response will be used instead.

The catch here is to make sure that no matter what server responds back the computer requesting the info will be able to see the whole network. So each server MUST provide identical information in every way from DNS servers to Routers to DHCP Options, even reserved IP addresses. The only difference will be the DHCP pool address are different and will NOT use the same IP ranges in them.

An example of a small network

Lets pretend you have 100 computers / devices you want to provide an IP for at any one time on a network and have a small IP block free for server / printers etc.. that you want to be manually configure. We could use a scope here

Router :

Subnet :

DHCP Server 1 :

DHCP Server 2 :

Servers / printers etc.. : 10.0.4 to 10.0.52

DHCP Pool for computers : to

In the above network example just have DHCP Server 1 setup with a DHCP pool of to and DHCP Server 2 with a DHCP pool of to Keep the router and the DNS entries and name server etc.. the same

That's it.. Nice and simple

Now in a larger network you may want double that with the increase of wifi devices etc.. In most organisation's you would budget 4 IP's for every staff. Work phone, mobile phone, computer wifi and computer ethernet port all may ask for an IP at the same time.

There is no difference here as above except to extend the available IP range and make it a /23 and make it 200 IP ranges per server

Router :

Subnet :

DHCP Server 1 :

DHCP Server 2 :

Servers / printers : 10.0.4 to 10.0.53

Servers / printers : 10.1.1 to 10.1.53

DHCP Pool, to and to 

In the above network example just have DHCP Server 1 setup with a DHCP pool of to and DHCP Server 2 with a DHCP pool of  to 

Want to increase it more than 200 IP's ? No problems you can go all the way to a /8 if you want and give yourself 16,777,214 IP's to play with :)

Remember that if you are running a VPN server and it is providing an IP address in the same IP subnet, you will want to make sure that that IP range is not being distributed via either DHCP server

Generally you would setup your IP phones on your network to be under a different VLAN for QOS = Different IP range again. So you may want to deploy the same setup here as well

For more info on DHCP read

1-10 of 13