Profile Manager Trust Profile Certificate expiring

Question

Level 1

110 points

Profile Manager Trust Profile Certificate expiring

Hi all,

A few of my users started getting notifications that a profile installed on their machines included a certificate that was due to expire soon. While my main SSL certificate is due to be renewed in the fall, I was able to track the issue down to the Trust Profile certificate in Profile Manager.

Please note the server is running OS X 10.12.6 and server version 5.3.1. Clients getting the notification are both Sierra and High Sierra.

If I look at one of the machines and click on the "Remote Management" profile inside system preferences, it lists two Certificates, both have a description of "Trust Profile for SERVER" (where Server is my actual server name). One, with the certificate name "SERVER Open Directory Certification Authority" is set to expire May 12th of this year, and the other named "Profile Manager Device Identity CA" is set to expire in April 2022. The expiring one was issued by the Server Open Directory Authority, and the valid one is issued by Profile Manager Device Identity CA.

I also manually downloaded a Trust Profile by clicking my login in the upper right of Profile Manager and selecting "Download Trust Profile". When I examine this trust profile, it shows the Root Certificate set to the same "SERVER Open Directory Certification Authority" certificate expiring May 12th. There is also a SCEP CA Certificate due to expire in April 2022.

I checked Keychain Access on the Server and did find a two "SERVER Open Directory Certification Authority" certificates there, one expiring May 12th and the other expiring April 2022. I turned off Profile Manger and OD and then removed the expiring cert from keychain, and also confirmed the OPENDIRECTORY_ROOT_CA_IDENTITY was set to the one expiring in April 2022, rebooted, and turned OD and Profile Manager back on.

Downloading another Trust Profile still shows the expiring certificate and the enrolling a new machine in Profile Manager still brings down the expiring certificate.

Also, please note that the server itself uses a Go Daddy SSL certificate for all other services listed in the Certificate section of the Server App, including Open Directory.

Does anyone know how I can get rid of the old Trust Certificate and use the one expiring in April 2022?

Thanks!

Mac mini, OS X Yosemite (10.10.1)

Posted on May 3, 2018 1:26 PM

Reply

Answer 1

fkick1 Author

Level 1

110 points

May 18, 2018 7:31 AM in response to Maeric2000

I believe it may be related to the fact that this directory originally was built in 10.6 and migrated up and up over the years, as it's old OPENDIRECTORY_INT_CA_IDENTITY and OPENDIRECTORY_INT_CA_IDENTITY certificates that are embedded in the Open Directory that is causing the issue (not the main SSL as that's a Go Daddy cert). Even though Keychain shows identity certs with the same name and a future expiry date, there must be a corruption somewhere within the OD that is causing it to read the old cert date. I did an archive of the OD to take a look, and low and behold if you open the archive manually and navigate to the ldap_bk/Cert folder, the old certs/CA is in there.

I have not be able to update the cert, however, I'm now past the May 12 date, and it looks like all my machines are still installing profiles and enrolling as normal, and my users are no longer getting the expiry warnings...

Maybe over the holidays I'll blow away the directory after exporting users and groups, and have everyone rebuild passwords in the new year. It'll suck having to re-enroll everyone and everything but that's the only option I can see to get a proper updated cert in the OD.

Reply

Answer 2

May 18, 2018 10:22 AM in response to fkick1

My machines have stopped updating and no new machines can be enrolled. I get a -1202 error when trying.

I use this machine primarily for profile manager so it's a big deal if the certificate isn't working.

I don't have time to check into it more at this time though.

Reply

Answer 3

fkick1 Author

Level 1

110 points

May 4, 2018 10:04 AM in response to fkick1

Adding to this, removing and reinstalling the Server.app to force it to rebuild server settings had no effect, even though the expired certificate was not in the system keychain.

Reply

Answer 4

May 18, 2018 7:22 AM in response to fkick1

I'm having almost exactly the same issue but with 10.11.6. I've looked at a server I have set up similarly and I don't see anything that would be causing this.

Reply

Profile Manager Trust Profile Certificate expiring

Similar questions