Blogs‎ > ‎

OSX Server, Renewing Profile Managers code signing certificate

posted Dec 13, 2013, 8:53 PM by Ian Curtinsmith   [ updated Dec 13, 2013, 8:54 PM ]
Apple OSX Server uses a code signing certificate that is used for Profile Manager. 

Unfortunately you can't just use the inbuilt certificate interface panel that is built in to the OSX server GUI.

OS X server App will continually send you a reminder every day from 30 days prior to renewal.

Apple have an article on this at http://support.apple.com/kb/HT5358

However it fails to mention 2 very important points.

1) To renew the certificate Apple ask you to use in the terminal

/usr/sbin/certadmin

However Apple have moved this command to :

/Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin

2) When converting the serial number to Hexadecimal it MUST be in lower case.

If the serial number is left in upper case you will see the following error 

"/Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin Cannot find the certificate: XXXXXXXX"

----

Instructions to replace the code signing certificate as follows :


1. Open /Applications/Utilities/Keychain Access.app.
2. On the left under Keychains, select the System keychain.
3. Find your code signing certificate.  It should be named in the format of "myserver.mydomain.com Code Signing Certificate" where "myserver.mydomain.com" will be the Fully Qualified Domain Name (FQDN) of your server.  You should see two entries, where one is the private key and one is the actual certificate.  Double click the certificate.
4. Under Details, locate the section named "Subject Name".  In the "Subject Name" section, locate the Common Name field which should be identical to the name of the certificate in the list from step 3.  Make note of the full name, including capitalization, spaces, and punctuation.

For me this was "server01.systemc.com.au Code Signing Certificate"

5. Looking at the same certificate details, locate the section titled "Issuer Name".  Locate the Common Name field directly below that.  The Issuer Common Name should be in the following format:  "IntermediateCA_MYSERVER.MYDOMAIN.COM_1"
...where "MYSERVER.MYDOMAIN.COM" will be the FQDN of your server.  Make note of the full name, including capitalization, spaces, and punctuation.

For me this was "IntermediateCA_SERVER01.SYSTEMC.COM.AU_1"

6. Looking at the same certificate details, in the "Issuer Name" section, you should see a Serial Number field.  Make note of the serial number, which is in decimal format.
7. Open /Applications/Calculator.app
8. In Calculator, choose View > Programmer to change to programmer mode.
9. Immediately below and to the right of the Calculator numeric display are buttons labeled "8", "10", and "16".  Click the "10" button to make sure the Calculator is in decimal mode.
10. Enter the serial number you found in step 1, for me this was, "2790369765".
11. Click the "16" button to convert to hexadecimal.  The resulting number will be in the format of "0xA651A9E5".  Disregard the leading "0x" and make note of the rest of the number. (MAKING SURE you convert this number to lower case.

For me this was a651a9e5

12. Open /Applications/Utilities/Terminal.app.
13. Enter the following command using the information gathered above. When entering the hexadecimal serial number, ensure that all letters are entered in lower case.

sudo /usr/sbin/certadmin --recreate-CA-signed-certificate "server01.systemc.com.au Code Signing Certificate" "IntermediateCA_SERVER01.SYSTEMC.COM.AU_1" a651a9e5

Sub your details collected above in the same locations using mine as an example

For those with latest version of OSX server will need to sub this for 

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate "server01.systemc.com.au Code Signing Certificate" "IntermediateCA_SERVER01.SYSTEMC.COM.AU_1" a651a9e5

14. Open /Applications/Server.app.
15. Under Services, click Profile Manager.
16. Switch Profile Manager off.
17. Next to "Sign configuration profiles" click the Edit button.
18. From the Certificate list, select the certificate named "server01.systemc.com.au Code Signing Certificate - server01.systemc.com.au OD Intermediate CA" which should be the only listed certificate.

This name will change depending on your certificate name

19. Click OK.
20. Turn on Profile Manager.
Comments