6 Replies Latest reply: Feb 20, 2014 12:48 AM by Gerard Dirks
Larry Goldman Level 1 (5 points)

Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.

 

I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.

 

How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?


Mac OS X (10.7.1)
  • Jonathan Melville Level 2 (450 points)

    You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.

     

    ** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.

     

    ** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

  • Larry Goldman Level 1 (5 points)

    I will rephrase the question: Lion Server created its own self-signed Code-signing cert. Certs rely on a chain of trust to roots that are already present on client machines.

     

    Is there a way to create a Code-signing cert based on a trusted SSL cert?

     

    (Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)

  • Jonathan Melville Level 2 (450 points)

    You're misunderstanding how the trust chain works.

     

    The only entity that can issue secure certificates are certificate authorities. An SSL certificate is not a certificate authority, it's just a certificate.

     

    So you can't "generate" a code-signing certificate from an SSL certificate. An SSL certificate is not part of a trust chain for a code-signing certificate. If you need a code-signing cert, you must have it issued to you by a certificate authority.

    (Besides being used for configuration profiles, this would be useful for software developers who want to distribute their code securely...)

     

    That is true.

  • Larry Goldman Level 1 (5 points)

    Good answer. Thanks.

  • Jonathan Melville Level 2 (450 points)

    Glad to help!

  • Gerard Dirks Level 1 (30 points)

    Hello

     

    Ist their a way to delete this certicate (and warning). We don't use this, but we get a warning every 24 hours from our 10.8.5 Server