John Lockwood

Q: Argh! Profile Manager and Code-Signing of profiles

I am setting up Profile Manager in Mavericks with Server.app 3.0.1.

 

I have DNS correctly setup, I have created an OD Master for Profile Manager, Profile Manager is running and network users can login and I can setup profiles. I also have the https site working properly for clients although that needed some help.

 

We have a self-signed root CA and off that we have two intermediate CAs, one for signing server SSL certificates, and one for signing codesigning certificates. On my server I have installed the rootCA, and the intermediate CAs and of course the server SSL certificate itself. As mentioned initially I had a problem with the https site on the server and what was happening was that the server was not sending the intermediate certificate along with the server certificate to clients. (The clients already have our rootCA certificate installed and trusted.)

 

As a result the chain was incomplete and clients did not trust the http site. I tracked this down to the files in /etc/certificates it turned out that of the four files for the server certificate i.e. .key.pem, .chain.pem, .concat.pem and .cert.pem that the .chain.pem did not contain the intermediate CA. I replaced it with the intermediate CA pem file and restarted Apache and clients now get the full chain and can therefore trust the https site.

 

My problem now is with the codesigning certificate, this also has been selfsigned this time by the intermediate codesigningCA. It is accepted by Profile Manager and it does sign the profiles. However when I download the Trust profile and try installing it, it comes back unverified. (If it was unsigned it would say unsigned instead.) This trust profile contains a copy of the server certificate and the rootCA certificate but does not contain the intermediate codesigningCA certificate.

 

I tried the same trick of swapping out the codesigning .chain.pem file in /etc/certificates but this did not help. I am currently stuck, any suggestions from any one?

 

Thanks.

Posted on Dec 13, 2013 3:38 AM

Close

Q: Argh! Profile Manager and Code-Signing of profiles

  • All replies
  • Helpful answers

  • by Marc Kerr,

    Marc Kerr Marc Kerr Dec 13, 2013 2:02 PM in response to John Lockwood
    Level 1 (0 points)
    Dec 13, 2013 2:02 PM in response to John Lockwood

    I'm fairly certain you need to also have the intermediat cert on the clients also. I've been adding it to my cleints.

     

    security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/path/to/SelfSignedCert.cer"

  • by John Lockwood,

    John Lockwood John Lockwood Dec 13, 2013 2:06 PM in response to Marc Kerr
    Level 6 (9,349 points)
    Servers Enterprise
    Dec 13, 2013 2:06 PM in response to Marc Kerr

    The trusted profile is supposed to install the certs on the client so that the enrollment profile is trusted.

  • by John Lockwood,Solvedanswer

    John Lockwood John Lockwood Dec 17, 2013 1:05 AM in response to John Lockwood
    Level 6 (9,349 points)
    Servers Enterprise
    Dec 17, 2013 1:05 AM in response to John Lockwood

    Right I have solved my problem. It turns out that while Server.app does offer the ability to import private keys and self-signed certificates from your own self-signed root CA, it does not work! I tried both .pem files and a .p12 file, both types failed even though both types are valid and accepted.

     

    It will import them but it fails to create properly all the matching files in /etc/certificates in particular it does not create the private .key.pem file and as a result does not correctly create the .concat.pem file. While it is possible to manually copy the private key to a .key.pem file and this works, even if you 'fix' the .concat.pem file it unfixes it each time you reboot. The keychain did contain proper entries but Apache and Profile Manager use the copies that are supposed to be in /etc/certificates

     

    The only way to get a full working set of four .pem files in /etc/certificates is to creating a signing request via Server.app and drag the signed-certificate and any intermediate certificate plus the root CA certificate in to the pending request window.

     

    Once I did it this way then my trust profile became verified.

     

    Note: Importing a code-signing certificate does work, it is only importing the server certificate that has this problem.

  • by Marc Kerr,

    Marc Kerr Marc Kerr Dec 17, 2013 7:26 AM in response to John Lockwood
    Level 1 (0 points)
    Dec 17, 2013 7:26 AM in response to John Lockwood

    W00t! This is good info thanks.

  • by essandess,

    essandess essandess Jan 17, 2015 7:17 PM in response to John Lockwood
    Level 1 (28 points)
    Applications
    Jan 17, 2015 7:17 PM in response to John Lockwood

    I would really appreciate being walked through these steps. I just upgraded to Yosemite and Server.app 4 and am dealing with all the brokenness.

     

    Profile Manager does not show a code signing certificate when I ask it to sign configuration profiles.

     

    I DO NOT have the Code Signing Certificate in my keychain created when OD was created.

     

    I DO have the four code signing certificate files:

     

    /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.cert.pem

    /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.chain.pem

    /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.concat.pem

    /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem

     

    Furthermore, when I search my System keychain passwords, for <UUID hash>, I see that have the password that decrypts these pem's, e.g. via the openssl command

     

    openssl rsa -outform der -in 'host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem' -out 'host.domain.tld.Code Signing Certificate.<UUID hash>.key'

     

    What's the specific step-by-step to convert these four files into something that Profile Manager can use to sign configuration profiles?

     

    I am stuck.

  • by essandess,

    essandess essandess Jan 19, 2015 7:33 PM in response to John Lockwood
    Level 1 (28 points)
    Applications
    Jan 19, 2015 7:33 PM in response to John Lockwood

    I was able to get a code signing certificate from backups into Profile Manager.  Here are the steps.

  • by ptrondsen,

    ptrondsen ptrondsen Apr 22, 2016 3:43 PM in response to John Lockwood
    Level 1 (4 points)
    Apr 22, 2016 3:43 PM in response to John Lockwood

    This same issue happened to me when I had to nuke my OD Master as got corrupted after a reboot.

    I promoted one of my replicas, nuked the OD Master, and then made the Master a Replica and promoted it back to a Master.

    Everything worked great after that, except for Profile Manager, when I tried to enroll a Mac, I got the error profile cannot be installed.

    So, I checked profile manager and it had no signing cert.

     

    This is what I did to fix it.

    1. Mount my last OD Archive and copy the Certificates folder to the Desktop.

    2. Copy the APNS cert from Keychain to the Desktop.

    3. In Server Admin, under Profile Manager, clicked Configure under Sign Configuration Profiles and clicked import.

    4. I dragged the Intermediate cert from the Certificates folder and the APNS.p12 in, and Profile Manager now works!