14 Replies Latest reply: Nov 24, 2014 9:32 AM by Paul Vail
SparkyArtt Level 1 Level 1 (10 points)

Hello to all

 

Can you please let me know if there is a way to renew the self code signing certificate for server WITHOUT re enroll all devices?

We have 500 iPads enrolled and the code signing certificate expires in 2 weeks...

So it's really critical not to re enroll all devices .

 

Is there any way to do this?

Thank you for you help.


Mac Pro, OS X Mountain Lion (10.8.2)
  • SparkyArtt Level 1 Level 1 (10 points)

    Anyone ??? any ideas ??

    Thank you

  • griff w Community Specialists Community Specialists (3,445 points)

    Hello there.

     

    You may want to take a look at the article "OS X Server: Renewing Profile Manager's code signing certificate"

     

    Here's the bit that adresses Mountain Lion Server:

     

    With OS X Mountain Lion, you receive an alert in Server.app 30 days before the certificate expires. Afterwards, an alert is shown in Server.app once a day until the certificate is renewed. The alert includes a Renew button that allows you to renew the certificate.

     

    Hope that helps,

    Griff W.

  • Mr J Smith Level 1 Level 1 (10 points)

    Hey there griff w, I followed the Renew process, but I'm still getting a server alert saying my Code Cert is due to expire soon and I get a "Replace" Button rather than Renew, but clicking that doesnt seem to do anything.

     

    Any ideas on that one?

     

    Kind regards,

     

    Chris

  • joopie99 Level 1 Level 1 (0 points)

    Having smae problem as you..    Replace does nothing... followed intsructions at: http://support.apple.com/kb/HT5358  but does not work.  had to adapt as the certadmin is in a different directory for me.   If i check for it with which cert admin I get  /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin.

     

    Have you had any luck since? also got bunch of devices

  • Alan Hill Level 1 Level 1 (0 points)

    Did manual as per instructions for 10.7 at (even though have 10.8) at http://support.apple.com/kb/HT5358 worked for me with joopie99's cert admin path (also seen here http://swytechnotes.wordpress.com/2013/02/14/mdm-code-signing-certificate-renewa l/) :-

     

    sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate "

    myserver.mydomain.com Code Signing Certificate" "IntermediateCA_MYSERVER.MYDOMAIN.COM_1

    " 192173c1c

     

    with the details gathered earlier of course.

  • BrettLHolmes Level 1 Level 1 (0 points)

    Thanks,

     

    This definatley works, Just remember the serial number code must be lowercase as described otherwise you get a cannot find certificate message which is misleading

  • jpawelchak Level 1 Level 1 (0 points)

    Alan Hill & BrettHolmes,

     

    Can you kindly confirm if after following these enstructions you had to remove the trust profile and re-enroll the devices or not?

     

    Thank you in advance.

  • dankgus Level 1 Level 1 (0 points)

    I know this thread is old but I too am wondering, did you have to remove the trust profile and enrollment profile and re-enroll the devices?

     

    THANKS!
    --Dan

  • BrettLHolmes Level 1 Level 1 (0 points)

    Hi Dan

    I beleive if you renew if before is expires then you do not have to re-enroll them, but if renewed after it expires, then yes, I renewed before so did not appear to have any issues.

     

    Brett

  • Ton Krol Level 1 Level 1 (0 points)

    Thanks!

     

    sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate "

    myserver.mydomain.com Code Signing Certificate" "IntermediateCA_MYSERVER.MYDOMAIN.COM_1

    " 192173c1c

     

    This worked for me!

  • beststart Level 1 Level 1 (0 points)

    When I put this in I am just getting the following response

     

     

    Usage: certadmin

        --get-private-key-passphrase [path]    

          Retrieve the passphrase for the private key at [path] from the keychain

     

     

        --default-certificate-path

          Retrieve the full path for the default certificate

        --default-certificate-authority-chain-path

          Retrieve the full path for the default certificate authority chain

        --default-private-key-path

          Retrieve the full path for the default private key

        --default-concatenation-path

          Retrieve the full path for the default certificate + private key concatenation

        --create-default-self-signed-identity

          Creates a default self signed identity (certificate + private key) using the hostname

        --recreate-self-signed-certificate subject serial_number

          Recreate an existing self signed certificate

        --recreate-CA-signed-certificate subject issuer serial_number

          Recreate an existing certificate signed by an OpenDirectory CA

     

    where you have "192173c1c is this meant to be the serial number?

  • beststart Level 1 Level 1 (0 points)

    Went and read the other thread as well, didn't have it as a hexadecimal serial number.

  • mgabriel1 Level 1 Level 1 (0 points)

    I think all original posters have resolved this problem, but I am posting so if others have the same problem they know what to look for...

     

    Watch for the smart quotes and dashes when entering into terminal...most text editing programs, including TextEdit, will replace the double dash with a single, longer dash and the straight quotes with smart quotes.  This does not seem to happen if you type directly into the Terminal window instead of copying and pasting.

  • Paul Vail Level 1 Level 1 (140 points)

    I had the same errors pop up recently.   Every day, there would be a new alert from the server.

     

    My solution turned out a bit different.   First we confirmed the drive was ok (disk utility verify disk, run the permissions repair).   Then opened the Server Admin.  I turned off the profile manager (as well as all services that use the cert such as calendar, contacts, messaging), waited out the spinner until it stopped, went back to the alert, used the simplistic Renew button.   Waited for all the spinning to stop.  Went back to the Profile Manager.  Even though we don't use the Device management services, the 'Sign configuration profiles' box does appear.  Selected it, hit Edit, and selected the cert from the pulldown select menu.  Turned on the Profile Manager, made sure the Default configuration profile had the Include configuration for services checked.   Turned on the services we turned off earlier.

     

    On each account for each device (iPhone, mbp, mba, iPad), we had to check the service, accept and trust the self-signed cert.   After that, we appear to be out of the woods.