4 Replies Latest reply: Jan 30, 2014 4:59 PM by Carlisls
jlboan Level 1 Level 1 (0 points)

Hi all,

 

We are attempting to set up Profile Manager to manage the Macs on our AD domain. We have a valid certificate for the server's web services, and users can hit it with https just fine. When enrolling a device with Profile Manager, we realized we needed a valid code signing certificate so that the users are not prompted with warnings during the install. I purchased a code signing certificate from GoDaddy and have been attempting to import this into Server.app so that I can assign it to the Profile Manager install.

 

I'm running 10.8.4 with the latest version of the server.app.

Here are the basic steps as I understand it:

  1. Under certificates in the server.app, click the + and choose "Get a Truste Certificate..."
  2. Fill out the company information.
  3. A CSR is generated. Copy the CSR.
  4. Log in to the CA site, in my case GoDaddy.
  5. Rekey the cert using the CSR just generated.
  6. Download the rekeyed cert from the CA. In my case, it is a .pem file with what appears to be 3 certificates in it.
  7. Back in server.app, select the pending cert and click the gear icon.
  8. Choose View Certificate Signing Request.
  9. Drop the cert file from the CA into the window as instructed.

Here is where mine fails I get the following error in the log:

 

Error: The server '127.0.0.1' reported an error while processing a command of type: 'importCertificates' in plug-in: 'servermgr_certs'. Error: Error Domain=com.apple.servermgr_certs Code=-67811 "none of the imported certificates matched a public/private key pair in the keychain"

 

 

I also tried going in to the Profile Manager settings, clicking edit, then Import and dropping the .pem file in that way. Unfortunately no keys accompany the cert so the Import button remains grayed out after that. As another shot, I opened the certs via finder and imported them to the Keychain app, unfortunately this did not make a differnce in the error. Now I understand that I could just use a self signed cert and enroll my devices, ignoring the warning. Unfortunately our CIO uses a Mac and has already decided we must have the cert in place and working before roll out. Any help would be greatly appreciated, thanks!


Mac OS X Server, OS X Mountain Lion (10.8.4), Server.app 2.2.1
  • 1. Re: Profile Manager and code signing certificate issues
    jlboan Level 1 Level 1 (0 points)

    OK so I gave up today and did a clean install of Mountain Lion. This time all the cert installation procedures went smoothly. However, when I try to enroll a device from profile manager, I get a message stating that the installation failed for an unknown error.  I checked the console log and this is what I see. (redacted the server name) Any ideas?

     

    8/26/13 4:23:51.082 PM System Preferences[4778]: *** ERROR *** [CPInstallerUI:501] Profile installation (Remote Management (com.apple.config.***********.org.mdm)) (<NSOSStatusErrorDomain:-25299> The operation couldn’t be completed. (OSStatus error -25299.)

    UserInfo: {

        CallStackSymbols =     (

            "0   SCEP                                0x0000000107c1d2f3 SCEP + 8947",

            "1   SCEP                                0x0000000107c27eec SCEP + 52972",

            "2   SCEP                                0x0000000107c208b7 SCEP + 22711",

            "3   ConfigurationProfiles               0x000000010635006f -[ProfileDomainPluginController installProfileWithPlugin:replacingProfile:outActions:] + 1473",

            "4   ConfigurationProfiles               0x0000000106348b53 -[CPProfileManager installProfile:forUser:] + 4126",

            "5   mdmclient                           0x00000001062f48ce mdmclient + 80078",

            "6   mdmclient                           0x00000001062fae9f mdmclient + 106143",

            "7   mdmclient                           0x00000001062f7e45 mdmclient + 93765",

            "8   mdmclient                           0x00000001062faa6f mdmclient + 105071",

            "9   mdmclient                           0x00000001062f8a5f mdmclient + 96863",

            "10  mdmclient                           0x00000001062f8dfa mdmclient + 97786",

            "11  libxpc.dylib                        0x00007fff8fbf54a2 _xpc_connection_recv_message + 699",

            "12  libxpc.dylib                        0x00007fff8fbf5594 _xpc_connection_recv_message + 941",

            "13  libxpc.dylib                        0x00007fff8fbf516d _xpc_connection_wakeup_recv + 165",

            "14  libxpc.dylib                        0x00007fff8fbf38b4 _xpc_connection_wakeup2 + 1799",

            "15  libxpc.dylib                        0x00007fff8fbf317c _xpc_connection_wakeup + 145",

            "16  libdispatch.dylib                   0x00007fff8cc110b6 _dispatch_client_callout + 8",

            "17  libdispatch.dylib                   0x00007fff8cc1329b _dispatch_source_invoke + 691",

            "18  libdispatch.dylib                   0x00007fff8cc12305 _dispatch_queue_invoke + 72",

            "19  libdispatch.dylib                   0x00007fff8cc12448 _dispatch_queue_drain + 180",

            "20  libdispatch.dylib                   0x00007fff8cc122f1 _dispatch_queue_invoke + 52",

            "21  libdispatch.dylib                   0x00007fff8cc121c3 _dispatch_worker_thread2 + 249",

            "22  libsystem_c.dylib                   0x00007fff986abd0b _pthread_wqthread + 404",

            "23  libsystem_c.dylib                   0x00007fff986961d1 start_wqthread + 13"

        );

        IsInternalError = 1;

    })

  • 2. Re: Profile Manager and code signing certificate issues
    Nick Kaihoi Level 1 Level 1 (0 points)

    I was able to accomplish getting a code signing certificate from GoDaddy by using FireFox. FireFox will automatically create the CSR and associated keys.

     

    Do the following:

     

    1. Login to GoDaddy and purchase your Code Signing Certificate (it will take a few days for them to verify you)

    2. Once you are able to submit a CSR for the Certificate make sure you are using FireFox (I used Version 25.0)

    3. When you go to re-key the certificate you will see that under "CSR Generation Method" it defaults to Automatic. Leave it on this setting and all the other settings defaulted.

    4. After the certificate has been re-keyed click the Download button and the process will be automatic. There will be several certificates it attempts to install. Some may already be present and you will be warned, just continue to the next certificate.

    5. Now, depending on what version of FireFox you are running the next step may be in a different area. For V25, go to the FireFox menu --> Preferences --> Advanced Tab --> Certificates Tab --> View Certificates Tab --> Your Certificates. Unless you have installed other certificates you should only see the GoDaddy Certificate. Select the certificate that has "Software Security Device" in it. Click the Backup... button. Give the backup a name and save it as PKSC12.

    6. Now go to the Server.app and select Certificates (10.9 Mavericks Server brought back a dedicated certificates area!!) Click the gear icon and select "Show all certificates" then click the + icon, select "Import Certificate Identity" and choose your exported PKSC12 file that will have the extension of .pfx

     

    As long as you didn't get any errors along the way you should now have successfully imported a valid Code Signing Certificate!

  • 3. Re: Profile Manager and code signing certificate issues
    Nick Kaihoi Level 1 Level 1 (0 points)

    Edit:

     

    Step 6 - The extension of the file will be .p12

  • 4. Re: Profile Manager and code signing certificate issues
    Carlisls Level 1 Level 1 (0 points)

    Thanks for your thread guys.  I am facing the same issue.  Nick, your method looks promising, but before I proceed, I am hopign you could confirm that this works properly for a Profile Manager code-signing certificate?  I have already created my code-signing certificate incorrectly once, and GoDaddy Support was gracious enough to let me delete it, and has give me an opportunity to recreate it without penalty. 

     

    To ensure I understand, once I have performed your steps through Firefox and Keychain, I assume when I go to "Profile Manager" in OSX Mavericks "Server.app", and click to check-on the "Sign configuration profiles" option and am prompted to select a certificate, I will see the code-signing cert I have imported from Firefox as per your instructions?

     

    Thanks again for your assistance.  I have been beating my head against the wall trying to get this right.  Surprisingly few resources online regarding this process.

     

    Thanks,

    Luke