Hello to all
Can you please let me know if there is a way to renew the self code signing certificate for server WITHOUT re enroll all devices?
We have 500 iPads enrolled and the code signing certificate expires in 2 weeks...
So it's really critical not to re enroll all devices .
Is there any way to do this?
Thank you for you help.
Mac Pro, OS X Mountain Lion (10.8.2)
Thanks. This worked for me.
Please be careful though as the hex version of the serial number must use lower case letter characters.
I found that quick resolution here:
Re: Cannot renew code signing certificate - maybe bug with german Umlaut?
Anyone ??? any ideas ??
Thank you
Hello there.
You may want to take a look at the article "OS X Server: Renewing Profile Manager's code signing certificate"
Here's the bit that adresses Mountain Lion Server:
With OS X Mountain Lion, you receive an alert in Server.app 30 days before the certificate expires. Afterwards, an alert is shown in Server.app once a day until the certificate is renewed. The alert includes a Renew button that allows you to renew the certificate.
Hope that helps,
Griff W.
Hey there griff w, I followed the Renew process, but I'm still getting a server alert saying my Code Cert is due to expire soon and I get a "Replace" Button rather than Renew, but clicking that doesnt seem to do anything.
Any ideas on that one?
Kind regards,
Chris
Having smae problem as you.. Replace does nothing... followed intsructions at: http://support.apple.com/kb/HT5358 but does not work. had to adapt as the certadmin is in a different directory for me. If i check for it with which cert admin I get /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin.
Have you had any luck since? also got bunch of devices
Did manual as per instructions for 10.7 at (even though have 10.8) at http://support.apple.com/kb/HT5358 worked for me with joopie99's cert admin path (also seen here http://swytechnotes.wordpress.com/2013/02/14/mdm-code-signing-certificate-renewa l/) :-
sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate "
myserver.mydomain.com Code Signing Certificate" "IntermediateCA_MYSERVER.MYDOMAIN.COM_1
" 192173c1c
with the details gathered earlier of course.
Thanks,
This definatley works, Just remember the serial number code must be lowercase as described otherwise you get a cannot find certificate message which is misleading
Alan Hill & BrettHolmes,
Can you kindly confirm if after following these enstructions you had to remove the trust profile and re-enroll the devices or not?
Thank you in advance.
I know this thread is old but I too am wondering, did you have to remove the trust profile and enrollment profile and re-enroll the devices?
THANKS!
--Dan
Hi Dan
I beleive if you renew if before is expires then you do not have to re-enroll them, but if renewed after it expires, then yes, I renewed before so did not appear to have any issues.
Brett
Thanks!
sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate "
myserver.mydomain.com Code Signing Certificate" "IntermediateCA_MYSERVER.MYDOMAIN.COM_1
" 192173c1c
This worked for me!
When I put this in I am just getting the following response
Usage: certadmin
--get-private-key-passphrase [path]
Retrieve the passphrase for the private key at [path] from the keychain
--default-certificate-path
Retrieve the full path for the default certificate
--default-certificate-authority-chain-path
Retrieve the full path for the default certificate authority chain
--default-private-key-path
Retrieve the full path for the default private key
--default-concatenation-path
Retrieve the full path for the default certificate + private key concatenation
--create-default-self-signed-identity
Creates a default self signed identity (certificate + private key) using the hostname
--recreate-self-signed-certificate subject serial_number
Recreate an existing self signed certificate
--recreate-CA-signed-certificate subject issuer serial_number
Recreate an existing certificate signed by an OpenDirectory CA
where you have "192173c1c is this meant to be the serial number?
Went and read the other thread as well, didn't have it as a hexadecimal serial number.
I think all original posters have resolved this problem, but I am posting so if others have the same problem they know what to look for...
Watch for the smart quotes and dashes when entering into terminal...most text editing programs, including TextEdit, will replace the double dash with a single, longer dash and the straight quotes with smart quotes. This does not seem to happen if you type directly into the Terminal window instead of copying and pasting.
I had the same errors pop up recently. Every day, there would be a new alert from the server.
My solution turned out a bit different. First we confirmed the drive was ok (disk utility verify disk, run the permissions repair). Then opened the Server Admin. I turned off the profile manager (as well as all services that use the cert such as calendar, contacts, messaging), waited out the spinner until it stopped, went back to the alert, used the simplistic Renew button. Waited for all the spinning to stop. Went back to the Profile Manager. Even though we don't use the Device management services, the 'Sign configuration profiles' box does appear. Selected it, hit Edit, and selected the cert from the pulldown select menu. Turned on the Profile Manager, made sure the Default configuration profile had the Include configuration for services checked. Turned on the services we turned off earlier.
On each account for each device (iPhone, mbp, mba, iPad), we had to check the service, accept and trust the self-signed cert. After that, we appear to be out of the woods.
Renew code signing certificate mountain lion server
