Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Larry Goldman
Larry Goldman Author
User level: Level 1
12 points

Configuration Profile Code-Signing Certificates

Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.


I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.


How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

Mac OS X (10.7.1)

Posted on Jul 23, 2012 5:22 PM

Reply
6 replies
User profile for user: Jonathan Melville
Jonathan Melville
User level: Level 2
450 points

Jul 24, 2012 8:39 AM in response to Larry Goldman

You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.


** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.


** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

Reply
User profile for user: Larry Goldman
Larry Goldman Author
User level: Level 1
12 points

Jul 24, 2012 12:11 PM in response to Jonathan Melville

I will rephrase the question: Lion Server created its own self-signed Code-signing cert. Certs rely on a chain of trust to roots that are already present on client machines.


Is there a way to create a Code-signing cert based on a trusted SSL cert?


(Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)

Reply
User profile for user: Jonathan Melville
Jonathan Melville
User level: Level 2
450 points

Jul 24, 2012 12:19 PM in response to Larry Goldman

You're misunderstanding how the trust chain works.


The only entity that can issue secure certificates are certificate authorities. An SSL certificate is not a certificate authority, it's just a certificate.


So you can't "generate" a code-signing certificate from an SSL certificate. An SSL certificate is not part of a trust chain for a code-signing certificate. If you need a code-signing cert, you must have it issued to you by a certificate authority.

(Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)


That is true.

Reply

Configuration Profile Code-Signing Certificates

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up