Skip navigation

Profile Manager: Missing Trust Profile

4185 Views 5 Replies Latest reply: May 15, 2012 7:25 PM by jake11 RSS
Brian S. Campbell Level 1 Level 1 (75 points)
Currently Being Moderated
Apr 16, 2012 6:26 PM

After literally months of trying and giving up on OS X Lion Server configuration, I finally came across the "Using Apple OS X Lion Server as a Home Server" articles and I've got most of it up and running. However, no trust profile was created during the cert setup process. Anyone seen this or have a fix for it? I've found nothing by googling and of course the Lion Server "documentation" is garbage...

Mac mini, Mac OS X (10.7)
  • Jonathan Melville Level 2 Level 2 (450 points)
    Currently Being Moderated
    Apr 16, 2012 7:42 PM (in response to Brian S. Campbell)

    Have you assigned an SSL cert for your server to use with services? If not then there won't be a Trust Profile because there's no cert that the client needs trust.

     

    Also if your cert has been signed by a certificate authority, the trust profile is also not needed because the cert is already trusted by clients. The only point of the trust profile is if you're using a self-signed certificate or maybe if you opt to sign profiles with default code-signing certificate.

  • Jonathan Melville Level 2 Level 2 (450 points)
    Currently Being Moderated
    Apr 17, 2012 8:41 AM (in response to Brian S. Campbell)

    Apple is attempting to make server easy for 'everyday folks' but I don't see it happening .

     

    You are correct about profiles showing up as 'unverified' even though you have a signed SSL cert. Your SSL certificate actually has nothing to do with the profiles. Profiles have to be signed with something called a code-signing certificate. You can opt to 1: not sign profiles, 2: sign profiles with the default code-signing cert created for you when you set up Server or 3: purchase a code-signing cert form a certificate authority.

     

    My opinion is you should spend the money to get a valid SSL cert but don't screw with a code-signing cert. A code-signing certificate is much more expensive than an SSL certificate and unless you're deploying profiles to hundreds of users in an enterprise, it's overkill.

  • jake11 Level 1 Level 1 (30 points)
    Currently Being Moderated
    May 15, 2012 7:25 PM (in response to Brian S. Campbell)

    I'm still confused in this regard, and all documentation / online courses use a self-signed ssl cert rather than actually purchasing one, so they do not show what the enrollment process should look like with a proper 3rd party root CA signed ssl cert installed.  I have not seen consistent behaviour from the server in this regard, which is the problem.

     

    My understanding was also that if an SSL cert signed by a "trusted" CA was installed (ie. a CA who is in the trusted CA list on every Mac shipped), the trust profile would not be required.  However, I'm getting different results in this regard on three Lion server I have configured.

     

    All have valid Push certs, and all 3 servers were set up with proper 3rd party trusted-CA signed SSL certificates, dns is happy, they are all OD masters.

     

    Problem #1:  Server 1 showed the "Trust Profile" for the first 3 client enrollments, then it disappeared.  I could still enroll the machines and install user profiles, but they would show as "unverified" whicle the 3 machines I installed the trust profile on showed as "verified".  Does it matter if the profiles are verified or unverified?  After turning off Profile manager and restarting the service, the trust profile returned.

     

    Problem #2:  Server 2 and 3 also were set up in an identical manner.  I have not been able to get these two to offer a trust profile.  Same as with server 1, I have only installed a 3rd party signed ssl cert (they all work btw, https acces does not flag an error).  I am using the self-generated code-signing certificate.

     

    So:

     

    - What is the ramamfacation of using "unverified" vs "verified" profiles?

    - If a Lion server has a proper trusted-CA signed SSL cert properly installed, should I still have the option to install the trust profile, and if so, should I?  I am not using a 3rd-party signe Code Signing Cert.

     

    Bottom line for me is I fdon't want to have to touch every machine, I want clients to be able to enroll themselves. However, I have taught them never, ever to accept a certificate if it's not accepted automatically as trusted my their Mac.

     

     

    Thanks

Actions

More Like This

  • Retrieving data ...

Bookmarked By (4)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.