Larry Goldman
Level 1 (9 points)
Servers Enterprise

Q: Configuration Profile Code-Signing Certificates

Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.

 

I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.

 

How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

Mac OS X (10.7.1)

Posted on Jul 23, 2012 5:24 PM

by Jonathan Melville,Solvedanswer
Jonathan Melville Jonathan Melville
Level 2 (450 points)
A:

You're misunderstanding how the trust chain works.

 

The only entity that can issue secure certificates are certificate authorities. An SSL certificate is not a certificate authority, it's just a certificate.

 

So you can't "generate" a code-signing certificate from an SSL certificate. An SSL certificate is not part of a trust chain for a code-signing certificate. If you need a code-signing cert, you must have it issued to you by a certificate authority.

(Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)

 

That is true.

Posted on Jul 24, 2012 12:19 PM

Close
Larry Goldman

Q: Configuration Profile Code-Signing Certificates

  • All replies
  • Helpful answers

  • by Jonathan Melville,

    Jonathan Melville Jonathan Melville Jul 24, 2012 8:39 AM in response to Larry Goldman
    Level 2 (450 points)
    Jul 24, 2012 8:39 AM in response to Larry Goldman

    You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.

     

    ** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.

     

    ** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

  • by Larry Goldman,

    Larry Goldman Larry Goldman Jul 24, 2012 12:11 PM in response to Jonathan Melville
    Level 1 (9 points)
    Servers Enterprise
    Jul 24, 2012 12:11 PM in response to Jonathan Melville

    I will rephrase the question: Lion Server created its own self-signed Code-signing cert. Certs rely on a chain of trust to roots that are already present on client machines.

     

    Is there a way to create a Code-signing cert based on a trusted SSL cert?

     

    (Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)

  • by Jonathan Melville,Solvedanswer

    Jonathan Melville Jonathan Melville Jul 24, 2012 12:19 PM in response to Larry Goldman
    Level 2 (450 points)
    Jul 24, 2012 12:19 PM in response to Larry Goldman

    You're misunderstanding how the trust chain works.

     

    The only entity that can issue secure certificates are certificate authorities. An SSL certificate is not a certificate authority, it's just a certificate.

     

    So you can't "generate" a code-signing certificate from an SSL certificate. An SSL certificate is not part of a trust chain for a code-signing certificate. If you need a code-signing cert, you must have it issued to you by a certificate authority.

    (Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)

     

    That is true.

  • by Larry Goldman,

    Larry Goldman Larry Goldman Jul 24, 2012 12:38 PM in response to Jonathan Melville
    Level 1 (9 points)
    Servers Enterprise
    Jul 24, 2012 12:38 PM in response to Jonathan Melville

    Good answer. Thanks.

  • by Jonathan Melville,

    Jonathan Melville Jonathan Melville Jul 24, 2012 12:40 PM in response to Larry Goldman
    Level 2 (450 points)
    Jul 24, 2012 12:40 PM in response to Larry Goldman

    Glad to help!

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Feb 20, 2014 12:48 AM in response to Larry Goldman
    Level 1 (38 points)
    Desktops
    Feb 20, 2014 12:48 AM in response to Larry Goldman

    Hello

     

    Ist their a way to delete this certicate (and warning). We don't use this, but we get a warning every 24 hours from our 10.8.5 Server