Larry Goldman

Q: Configuration Profile Code-Signing Certificates

Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.

 

I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.

 

How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

Mac OS X (10.7.1)

Posted on Jul 23, 2012 5:24 PM

Close

Q: Configuration Profile Code-Signing Certificates

  • All replies
  • Helpful answers

  • by Jonathan Melville,

    Jonathan Melville Jonathan Melville Jul 24, 2012 8:39 AM in response to Larry Goldman
    Level 2 (450 points)
    Jul 24, 2012 8:39 AM in response to Larry Goldman

    You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.

     

    ** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.

     

    ** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

  • by Larry Goldman,

    Larry Goldman Larry Goldman Jul 24, 2012 12:11 PM in response to Jonathan Melville
    Level 1 (9 points)
    Servers Enterprise
    Jul 24, 2012 12:11 PM in response to Jonathan Melville

    I will rephrase the question: Lion Server created its own self-signed Code-signing cert. Certs rely on a chain of trust to roots that are already present on client machines.

     

    Is there a way to create a Code-signing cert based on a trusted SSL cert?

     

    (Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)

  • by Jonathan Melville,Solvedanswer

    Jonathan Melville Jonathan Melville Jul 24, 2012 12:19 PM in response to Larry Goldman
    Level 2 (450 points)
    Jul 24, 2012 12:19 PM in response to Larry Goldman

    You're misunderstanding how the trust chain works.

     

    The only entity that can issue secure certificates are certificate authorities. An SSL certificate is not a certificate authority, it's just a certificate.

     

    So you can't "generate" a code-signing certificate from an SSL certificate. An SSL certificate is not part of a trust chain for a code-signing certificate. If you need a code-signing cert, you must have it issued to you by a certificate authority.

    (Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)

     

    That is true.

  • by Larry Goldman,

    Larry Goldman Larry Goldman Jul 24, 2012 12:38 PM in response to Jonathan Melville
    Level 1 (9 points)
    Servers Enterprise
    Jul 24, 2012 12:38 PM in response to Jonathan Melville

    Good answer. Thanks.

  • by Jonathan Melville,

    Jonathan Melville Jonathan Melville Jul 24, 2012 12:40 PM in response to Larry Goldman
    Level 2 (450 points)
    Jul 24, 2012 12:40 PM in response to Larry Goldman

    Glad to help!

  • by Gerard Dirks,

    Gerard Dirks Gerard Dirks Feb 20, 2014 12:48 AM in response to Larry Goldman
    Level 1 (38 points)
    Desktops
    Feb 20, 2014 12:48 AM in response to Larry Goldman

    Hello

     

    Ist their a way to delete this certicate (and warning). We don't use this, but we get a warning every 24 hours from our 10.8.5 Server