Profile Manager: How to Add a Code Signing Certificate to Sign Configuration Profiles

This post describes one way to get a Code Signing Certificate into Profile Manager when it doesn't show a code signing certificate to sign configuration profiles. This was working originally, but I found that I DO NOT have the Code Signing Certificate in my keychain created when OD was created.

I did have good backups: Time Machine had a /Library/Keychains/System.keychain that had the original code signing certificate. I also had a bootable clone from Carbon Copy Cloner.

Step 0, Copy over the old System keychain and encrypted System keychain password:

sudo cp /BackupVolume/Library/Keychains/System.keychain ~/Downloads/System-codesign.keychain

sudo cp /BackupVolume/var/db/SystemKey ~/Downloads/SystemKey-codesign

Step 1, Extract the Code Signing Certificate from the old System keychain:

You'll have to copy the backed-up System.keychain and SystemKey into the clone and boot the clone the access this system keychain:

sudo cp -p /CloneVolume/Library/Keychains/System.keychain /CloneVolume/Library/Keychains/System-backup.keychain

sudo cp -p /CloneVolume/var/db/SystemKey /CloneVolume/var/db/SystemKey-backup

sudo cp ~/Downloads/System-codesign.keychain /CloneVolume/Library/Keychains/System.keychain

sudo cp ~/Downloads/SystemKey-codesign /CloneVolume/var/db/SystemKey

Boot the clone, then export the code signing certificate WITH ITS PRIVATE KEY to an encrypted .p12 file. This cert looks like "hostname.domainname.tld Code Signing Certificate".

Copy the file "hostname.domainname.tld Code Signing Certificate.p12" into the original volume (you'll probably want to keep a backup around).

Reboot into the original box.

Step 3, Import the code signing certificate into Keychain Access. Double-click on the file "hostname.domainname.tld Code Signing Certificate.p12". This will put the code signing certificate into your login keychain's certificates. From Keychain Access, drag this cert WITH ITS PRIVATE KEY into the System keychain.

Step 4, From Keychain Access, Export the code signing certificate into a .cer file, and its private key into a separate .p12 file.

Step 5. Server.app>Profile Manager> click "Sign configuration profiles", then select Import... Drag the .cer key into the box, then the .p12 private key.

This should work. You'll now be able to sign configuration profiles, and you should see the code signing certificate in Server.app's Certificates pane.