Apple’s Software Update Gets A New Security Certificate That Could Trip Up OS X Server


Lion Server (and Snow Leopard Server) Software Update Server may experience problems beginning tomorrow
Lion Server (and Snow Leopard Server) Software Update Server may experience problems beginning tomorrow

Apple uses digital certificates and code signing in various ways to help keep Macs secure. One common example is that apps sold through the Mac App Store are digitally signed, which allows an individual Mac to know that it’s getting the genuine article when a user launches the App Store app. It also allows a Mac to ensure that an application hasn’t been tampered with by a malicious user or a piece of malware each time that app is launched (Mountain Lion’s Gatekeeper feature will be based on the same technology).

The same process is used with Apple’s Software Update servers. Each update from Apple is digitally signed using a certificate that let’s each Mac know that they’re getting genuine updates from Apple.

Digital certificates are designed to expire periodically and tomorrow, March 23, 2012, the certificate associated with Apple’s Software Update functionality will be expiring. Apple already has a new certificate ready that won’t expire for seven more years (2019). The transition to the certificate will be transparent for almost all Mac users, but it may create problems with some OS X Server installations.

Those potential problems relate to OS X Server’s Software Update Service (SUS). This service is a longtime OS X Server feature that allows a server to create a local copy of the updates on Apple’s servers. Using the feature offers some pretty powerful advantages for businesses and schools with large Mac populations.

  • It allows IT staff to test any updates with their systems before making them available and to prevent their installation if they find problems
  • Macs in the organization can download and install updates much more quickly from a server on the local network rather than going across the Internet to access Apple’s servers
  • There’s less network congestion around the organization’s Internet connection because dozens or hundreds of Macs aren’t all trying to query Apple’s servers and then download updates from them

Servers running SUS can maintain a backlog of previously downloaded update from Apple’s servers. If those updates have been signed with the expiring certificate, which will no longer be valid starting tomorrow, Macs that download updates from such a server will refuse to install them because their digital signature is no longer valid.

Apple’s suggested course of action for any organization running either Lion Server  or Snow Leopard Server and SUS is to remove any previously downloaded updates and re-download them. The new copies will be signed with the new certificate that is valid until 2019 but will otherwise be identical to the older ones. Current updates like the Lion 10.7.3 updates will be downloaded automatically but older updates like Lion 10.7.2 won’t, though they can be downloaded manually from Apple support site.