Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,685 points

Argh! Profile Manager and Code-Signing of profiles

I am setting up Profile Manager in Mavericks with Server.app 3.0.1.


I have DNS correctly setup, I have created an OD Master for Profile Manager, Profile Manager is running and network users can login and I can setup profiles. I also have the https site working properly for clients although that needed some help.


We have a self-signed root CA and off that we have two intermediate CAs, one for signing server SSL certificates, and one for signing codesigning certificates. On my server I have installed the rootCA, and the intermediate CAs and of course the server SSL certificate itself. As mentioned initially I had a problem with the https site on the server and what was happening was that the server was not sending the intermediate certificate along with the server certificate to clients. (The clients already have our rootCA certificate installed and trusted.)


As a result the chain was incomplete and clients did not trust the http site. I tracked this down to the files in /etc/certificates it turned out that of the four files for the server certificate i.e. .key.pem, .chain.pem, .concat.pem and .cert.pem that the .chain.pem did not contain the intermediate CA. I replaced it with the intermediate CA pem file and restarted Apache and clients now get the full chain and can therefore trust the https site.


My problem now is with the codesigning certificate, this also has been selfsigned this time by the intermediate codesigningCA. It is accepted by Profile Manager and it does sign the profiles. However when I download the Trust profile and try installing it, it comes back unverified. (If it was unsigned it would say unsigned instead.) This trust profile contains a copy of the server certificate and the rootCA certificate but does not contain the intermediate codesigningCA certificate.


I tried the same trick of swapping out the codesigning .chain.pem file in /etc/certificates but this did not help. I am currently stuck, any suggestions from any one?


Thanks.

Posted on Dec 13, 2013 3:37 AM

Reply
8 replies
User profile for user: Marc-Etienne HUNEAU
Marc-Etienne HUNEAU
User level: Level 1
8 points

Jan 12, 2017 2:26 AM in response to John Lockwood

Related but not quite :


A few weeks ago, out profile manager was broken, for some reason. I poke around before realising the time machine backup had failed. And I renewed the certificates. At least one, don't remember which one. I was clueless.


As a logical result, I lost connectivity with all the managed devices.


No backup. So, I got a third-party signed SSL certificate, added it to the server and the devices accepted to connect, since they could trust the server again.


Only problem, I can NOT add new devices. Adding the management profile to them fails because of a certificate problem (it seems). Same from Configurator and from /mydevices/.


Now, I have several certificates. The root, the Intermediate, the code-signing (which is self signed, I did not buy a code signing certificate). I'm going to try and re-import the SSL certificate and its intermediate, but I doubt it's gonna fix my problem.


Question is : would buying a code-signing certificate work ?


This is all so fuzzy...

Reply
User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,685 points

Dec 17, 2013 1:05 AM in response to John Lockwood

Right I have solved my problem. It turns out that while Server.app does offer the ability to import private keys and self-signed certificates from your own self-signed root CA, it does not work! I tried both .pem files and a .p12 file, both types failed even though both types are valid and accepted.


It will import them but it fails to create properly all the matching files in /etc/certificates in particular it does not create the private .key.pem file and as a result does not correctly create the .concat.pem file. While it is possible to manually copy the private key to a .key.pem file and this works, even if you 'fix' the .concat.pem file it unfixes it each time you reboot. The keychain did contain proper entries but Apache and Profile Manager use the copies that are supposed to be in /etc/certificates


The only way to get a full working set of four .pem files in /etc/certificates is to creating a signing request via Server.app and drag the signed-certificate and any intermediate certificate plus the root CA certificate in to the pending request window.


Once I did it this way then my trust profile became verified.


Note: Importing a code-signing certificate does work, it is only importing the server certificate that has this problem.

Reply
User profile for user: essandess
essandess
User level: Level 1
41 points

Jan 17, 2015 7:17 PM in response to John Lockwood

I would really appreciate being walked through these steps. I just upgraded to Yosemite and Server.app 4 and am dealing with all the brokenness.


Profile Manager does not show a code signing certificate when I ask it to sign configuration profiles.


I DO NOT have the Code Signing Certificate in my keychain created when OD was created.


I DO have the four code signing certificate files:


/etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.cert.pem

/etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.chain.pem

/etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.concat.pem

/etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem


Furthermore, when I search my System keychain passwords, for <UUID hash>, I see that have the password that decrypts these pem's, e.g. via the openssl command


openssl rsa -outform der -in 'host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem' -out 'host.domain.tld.Code Signing Certificate.<UUID hash>.key'


What's the specific step-by-step to convert these four files into something that Profile Manager can use to sign configuration profiles?


I am stuck.

Reply
User profile for user: ptrondsen
ptrondsen
User level: Level 1
4 points

Apr 22, 2016 3:43 PM in response to John Lockwood

This same issue happened to me when I had to nuke my OD Master as got corrupted after a reboot.

I promoted one of my replicas, nuked the OD Master, and then made the Master a Replica and promoted it back to a Master.

Everything worked great after that, except for Profile Manager, when I tried to enroll a Mac, I got the error profile cannot be installed.

So, I checked profile manager and it had no signing cert.


This is what I did to fix it.

1. Mount my last OD Archive and copy the Certificates folder to the Desktop.

2. Copy the APNS cert from Keychain to the Desktop.

3. In Server Admin, under Profile Manager, clicked Configure under Sign Configuration Profiles and clicked import.

4. I dragged the Intermediate cert from the Certificates folder and the APNS.p12 in, and Profile Manager now works!

Reply

Argh! Profile Manager and Code-Signing of profiles

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up