We still have an old macOS server with profile manager running, with a domain wildcard SSL certificate. After renewing the certificate, I checked that https: was working, and also that management profiles could be downloaded. Great!
However, when setting up a new device, the device says that the certificate is invalid, and will not install the profile. Reverting back to the (soon to be expiring) old certificate, everything works fine.
So, I’m at a loss for why this is happening.
As far as I can tell, the root for both certs is the same. In fact, the CA which was provided by Digicert/Geotrust looks to be the same as last year’s. I’ve exhausted my basic knowledge of “openssl” commands trying to spot any differences, to no avail.
In testing, I see the same behavior in iOS16, iOS17, iOS18, macOS14, and macOS15. When using the expiring certificate, new devices can download the profile, but when using the newer certificate, errors occur. Also, with the newer certificate, all of the above devices are able to install profiles (manually, from the /mydevices URL).
One interesting note, is that yesterday the error was “invalid certificate”; however, today, it just says “canceled” (iOS16). I read that ABM was having issues overnight, so this may be related. But, my trouble with new devices and the new certificate started over a week ago.
PS – I’m not using profile manager because I want to. But, feel free to add more reasons why it’s a bad idea (as long as you try to help solve the original problem).