Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Larry Goldman
Larry Goldman Author
User level: Level 1
12 points

Configuration Profile Code-Signing Certificates

Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.


I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.


How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

Mac OS X (10.7.1)

Posted on Jul 23, 2012 5:22 PM

Reply
6 replies
User profile for user: Jonathan Melville
Jonathan Melville
User level: Level 2
450 points

Jul 24, 2012 8:39 AM in response to Larry Goldman

You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.


** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.


** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

Reply
User profile for user: Larry Goldman
Larry Goldman Author
User level: Level 1
12 points

Jul 24, 2012 12:11 PM in response to Jonathan Melville

I will rephrase the question: Lion Server created its own self-signed Code-signing cert. Certs rely on a chain of trust to roots that are already present on client machines.


Is there a way to create a Code-signing cert based on a trusted SSL cert?


(Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)

Reply
User profile for user: Jonathan Melville
Jonathan Melville
User level: Level 2
450 points

Jul 24, 2012 12:19 PM in response to Larry Goldman

You're misunderstanding how the trust chain works.


The only entity that can issue secure certificates are certificate authorities. An SSL certificate is not a certificate authority, it's just a certificate.


So you can't "generate" a code-signing certificate from an SSL certificate. An SSL certificate is not part of a trust chain for a code-signing certificate. If you need a code-signing cert, you must have it issued to you by a certificate authority.

(Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)


That is true.

Reply

Configuration Profile Code-Signing Certificates

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up