Q: Argh! Profile Manager and Code-Signing of profiles
I am setting up Profile Manager in Mavericks with Server.app 3.0.1.
I have DNS correctly setup, I have created an OD Master for Profile Manager, Profile Manager is running and network users can login and I can setup profiles. I also have the https site working properly for clients although that needed some help.
We have a self-signed root CA and off that we have two intermediate CAs, one for signing server SSL certificates, and one for signing codesigning certificates. On my server I have installed the rootCA, and the intermediate CAs and of course the server SSL certificate itself. As mentioned initially I had a problem with the https site on the server and what was happening was that the server was not sending the intermediate certificate along with the server certificate to clients. (The clients already have our rootCA certificate installed and trusted.)
As a result the chain was incomplete and clients did not trust the http site. I tracked this down to the files in /etc/certificates it turned out that of the four files for the server certificate i.e. .key.pem, .chain.pem, .concat.pem and .cert.pem that the .chain.pem did not contain the intermediate CA. I replaced it with the intermediate CA pem file and restarted Apache and clients now get the full chain and can therefore trust the https site.
My problem now is with the codesigning certificate, this also has been selfsigned this time by the intermediate codesigningCA. It is accepted by Profile Manager and it does sign the profiles. However when I download the Trust profile and try installing it, it comes back unverified. (If it was unsigned it would say unsigned instead.) This trust profile contains a copy of the server certificate and the rootCA certificate but does not contain the intermediate codesigningCA certificate.
I tried the same trick of swapping out the codesigning .chain.pem file in /etc/certificates but this did not help. I am currently stuck, any suggestions from any one?
Thanks.
Posted on Dec 13, 2013 3:38 AM
Right I have solved my problem. It turns out that while Server.app does offer the ability to import private keys and self-signed certificates from your own self-signed root CA, it does not work! I tried both .pem files and a .p12 file, both types failed even though both types are valid and accepted.
It will import them but it fails to create properly all the matching files in /etc/certificates in particular it does not create the private .key.pem file and as a result does not correctly create the .concat.pem file. While it is possible to manually copy the private key to a .key.pem file and this works, even if you 'fix' the .concat.pem file it unfixes it each time you reboot. The keychain did contain proper entries but Apache and Profile Manager use the copies that are supposed to be in /etc/certificates
The only way to get a full working set of four .pem files in /etc/certificates is to creating a signing request via Server.app and drag the signed-certificate and any intermediate certificate plus the root CA certificate in to the pending request window.
Once I did it this way then my trust profile became verified.
Note: Importing a code-signing certificate does work, it is only importing the server certificate that has this problem.
Posted on Dec 17, 2013 1:05 AM