Skip navigation

Profile Manager and code signing certificate issues

1210 Views 4 Replies Latest reply: Jan 30, 2014 4:59 PM by Carlisls RSS
jlboan Level 1 Level 1 (0 points)
Currently Being Moderated
Aug 23, 2013 4:54 PM

Hi all,

 

We are attempting to set up Profile Manager to manage the Macs on our AD domain. We have a valid certificate for the server's web services, and users can hit it with https just fine. When enrolling a device with Profile Manager, we realized we needed a valid code signing certificate so that the users are not prompted with warnings during the install. I purchased a code signing certificate from GoDaddy and have been attempting to import this into Server.app so that I can assign it to the Profile Manager install.

 

I'm running 10.8.4 with the latest version of the server.app.

Here are the basic steps as I understand it:

  1. Under certificates in the server.app, click the + and choose "Get a Truste Certificate..."
  2. Fill out the company information.
  3. A CSR is generated. Copy the CSR.
  4. Log in to the CA site, in my case GoDaddy.
  5. Rekey the cert using the CSR just generated.
  6. Download the rekeyed cert from the CA. In my case, it is a .pem file with what appears to be 3 certificates in it.
  7. Back in server.app, select the pending cert and click the gear icon.
  8. Choose View Certificate Signing Request.
  9. Drop the cert file from the CA into the window as instructed.

Here is where mine fails I get the following error in the log:

 

Error: The server '127.0.0.1' reported an error while processing a command of type: 'importCertificates' in plug-in: 'servermgr_certs'. Error: Error Domain=com.apple.servermgr_certs Code=-67811 "none of the imported certificates matched a public/private key pair in the keychain"

 

 

I also tried going in to the Profile Manager settings, clicking edit, then Import and dropping the .pem file in that way. Unfortunately no keys accompany the cert so the Import button remains grayed out after that. As another shot, I opened the certs via finder and imported them to the Keychain app, unfortunately this did not make a differnce in the error. Now I understand that I could just use a self signed cert and enroll my devices, ignoring the warning. Unfortunately our CIO uses a Mac and has already decided we must have the cert in place and working before roll out. Any help would be greatly appreciated, thanks!

Mac OS X Server, OS X Mountain Lion (10.8.4), Server.app 2.2.1
  • Nick Kaihoi Level 1 Level 1 (0 points)
    Currently Being Moderated
    Oct 30, 2013 10:57 AM (in response to jlboan)

    I was able to accomplish getting a code signing certificate from GoDaddy by using FireFox. FireFox will automatically create the CSR and associated keys.

     

    Do the following:

     

    1. Login to GoDaddy and purchase your Code Signing Certificate (it will take a few days for them to verify you)

    2. Once you are able to submit a CSR for the Certificate make sure you are using FireFox (I used Version 25.0)

    3. When you go to re-key the certificate you will see that under "CSR Generation Method" it defaults to Automatic. Leave it on this setting and all the other settings defaulted.

    4. After the certificate has been re-keyed click the Download button and the process will be automatic. There will be several certificates it attempts to install. Some may already be present and you will be warned, just continue to the next certificate.

    5. Now, depending on what version of FireFox you are running the next step may be in a different area. For V25, go to the FireFox menu --> Preferences --> Advanced Tab --> Certificates Tab --> View Certificates Tab --> Your Certificates. Unless you have installed other certificates you should only see the GoDaddy Certificate. Select the certificate that has "Software Security Device" in it. Click the Backup... button. Give the backup a name and save it as PKSC12.

    6. Now go to the Server.app and select Certificates (10.9 Mavericks Server brought back a dedicated certificates area!!) Click the gear icon and select "Show all certificates" then click the + icon, select "Import Certificate Identity" and choose your exported PKSC12 file that will have the extension of .pfx

     

    As long as you didn't get any errors along the way you should now have successfully imported a valid Code Signing Certificate!

  • Nick Kaihoi Level 1 Level 1 (0 points)

    Edit:

     

    Step 6 - The extension of the file will be .p12

  • Carlisls Level 1 Level 1 (0 points)

    Thanks for your thread guys.  I am facing the same issue.  Nick, your method looks promising, but before I proceed, I am hopign you could confirm that this works properly for a Profile Manager code-signing certificate?  I have already created my code-signing certificate incorrectly once, and GoDaddy Support was gracious enough to let me delete it, and has give me an opportunity to recreate it without penalty. 

     

    To ensure I understand, once I have performed your steps through Firefox and Keychain, I assume when I go to "Profile Manager" in OSX Mavericks "Server.app", and click to check-on the "Sign configuration profiles" option and am prompted to select a certificate, I will see the code-signing cert I have imported from Firefox as per your instructions?

     

    Thanks again for your assistance.  I have been beating my head against the wall trying to get this right.  Surprisingly few resources online regarding this process.

     

    Thanks,

    Luke

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.