Josh4758

Q: Why use a 3rd party SSL cert for APN?

When I watch anything on setting up APN for profile manager it is "highly recommended" that a 3rd party certificate is purchased and used instead of a self signed one. Can anyone tell me if a self signed certificate will work at all?

 

I ask because recently we had everything working using our company's wildcard certificate and when it expired the server team in charge of the certificates in our organization decided that they give out as few of these as they could (not sure why, is this expensive, or bad practice?). They suggested that I use a self signed certificate for the Apple server. I did and made sure that I secured the services using it under Certificates in the Server app. Since then I can see that changes sent to clients are stuck in the pending status.

 

When I try to install the enrollment profile it says that the certificate server is invalid and that I need to install the trust profile (which I have). What am I missing?

 

I realize this is not a lot of info to go off of so hit me!

 

Thanks, J

Mac mini, OS X Server

Posted on Aug 9, 2016 3:13 PM

Close

Q: Why use a 3rd party SSL cert for APN?

  • All replies
  • Helpful answers

  • by John Lockwood,

    John Lockwood John Lockwood Aug 10, 2016 2:56 AM in response to Josh4758
    Level 6 (9,230 points)
    Servers Enterprise
    Aug 10, 2016 2:56 AM in response to Josh4758

    You are confusing two different certificates used by Profile Manager, as it happens Profile Manager would also use a third different certificate.

     

    1. The APN certificate can only be generated by Apple via the Apple APN portal. See Apple Push Certificates Portal
    2. Profile Manager also uses a CodeSigning certificate to 'sign' and encrypt profiles, this can either be the auto generated one generated by Server.app or can be a purchased one or even a 'self-signed' one.
    3. The third certificate used is a standard web-server certificate which is used to access the Profile Manager web server, this again can be the auto-generated one, a purchased one or a self-signed one.

     

    Note: The Trust Profile created by Profile Manager when installed tells your client devices to trust the web and codesigning certificates used by the Profile Manager if they are self-signed ones and hence would otherwise not be automatically trusted.

     

    Apple's Keychain Access utility is extremely limited in creating certificates. It can create a self-signed certificate usable as a standard web-server certificate but is not able to create codesigning certificates. I did this using the free XCA tool which is a front-end to open-ssl.

     

    If you want to sign apps and installer packages such that they are trusted by Gatekeeper or are suitable for submission to the App Store then you need an official Apple Developer account and via that can get a Developer signing certificate generated by Apple for you.