Login/Register
Identity certificate - IOS MDM
Asked Answered
Solved ioscertificatex509mdm
H

1

7

I have few questions regarding Identity certificate in Profile Payload.

Forgive the ignorance, if some questions are basic.

1.) I found that, we can either use SCEP standard or PKCS12 certificate directly for device identification. SCEP is recommended, since private key will be known only to the device. So in case If I am going to implement SCEP server, do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?

2.) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?

3.) What if the identity certificate is expired?

As a basic version while playing around, I tried to add my own p12 certificate to the Payload without using SCEP.

I tried to add the base64 encoded p12 certificate in the identity payloadcontent key,as mentioned in some link reference. I got an error

The identity certificate for “Test MDM Profile” could not be found

while installing profile.

  identity_payload['PayloadType'] = 'com.apple.security.pkcs12'
  identity_payload['PayloadUUID'] = "RANDOM-UUID-STRING"
  identity_payload['PayloadVersion'] = 1
  identity_payload['PayloadContent'] = Base64.encode64(File.read "identity.p12")
  identity_payload['Password'] = 'p12Secret'

When I checked 'Configuration Profile key reference', it was mentioned that I should send Binary representation of Payload in Data. So I tried,

  identity_payload['PayloadContent'] = ConvertToBinary(File.read "identity.p12")

I got,

The password for the certificate “IdentityCertificate” is incorrect

I am supplying valid password for exporting the p12 certificate.

What am I doing wrong?

Haines answered 23/4, 2015 at 6:2 Comment(0)
R
4

Answering your question:

1) Do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?

Yes. You need some kind of mapping. You can do couple of ways:

  • Just store it in DB a mapping between certificate common name and device UDID.
  • Make CN contain UDID (I like this method, because it simplifies initial checks)

And as you pointed out you will need public key to encrypt payloads for this device.

2) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?

There are open source implementation of SCEP. As example jSCEP have it (I used it) and EJBCA have it (I used it too). I saw other implementation (in Ruby and so on). So, you can find an choose something which works with your stack.

3) You need to renew identity certificate before it expeires (the same way as for any other certificates).

4) If your profile doesn't work, I would recommend you to create the same profile in iPhone Configuration Utility and compare with yours. Most of the time, you missed just one tag or something like that (it will take a lot to figure it out without comparing it with working one).

Ruttish answered 27/4, 2015 at 18:16 Comment(8)
"Make CN contain UDID", If we are generating CSR and sending it as a P12 container in payload, it is possible to define our own CN. But in SCEP way, device will generate CSR right? Then how can we make our desired text as CN?Haines
2) Thanks for your reference. I am going to use some trusted CA for signing. Is it possible to have that CA certificate with us and use it to sign certificate in pkioperation from a device to our own SCEP server? 3) Could you please elaborate the process of renewing the certificate? Renewal request will be sent to the SCEP server from the device?Haines
4) I have created the same in IPCU and all tags are almost same. IPCU created certificate has been installed properly. Then I noticed that the data in PayloadContent of identity section is different. I just directly extracted the p12 certificate and used its binary. I am not sure what would have gone wrong.FYI, IPCU is no longer available. :)Haines
1) Yes. Device generates CSR. However, you are specifying in SCEP payload how CN should look like. So, you will define it.Ruttish
2) Actually, you don't need trusted CA in this case. It's just a trust between a device and your server. So, trusted CA could be overkill. However, if you decide to go this route, you can easily use it in jSCEP (as example). Most of these tools allow you to choose which certificate/private key to use for signing.Ruttish
3) Frankly, I don't remember all details about identity certificate renewal. Please check Apple documentation. They have the whole chapter on this subject.Ruttish
4) Try to make them exactly the same (may be except payload UUID's). Also, if you have anything base64 encoded also check that they are the same. If they are different most likely you are encoding something wrong wayRuttish
4) As I remember you need to do Base64 encoded PKCS12 file. BTW. You are doing File.read (I am not sure which language do you use. Make sure that it can read binary files)Ruttish

© 2022 - 2024 — McMap. All rights reserved.