苹果官网证书文件,待研究
http://www.apple.com/certificateauthority/
导读:MDM 证书申请流程(vendor及customer)整个流程分为两部分:vendor、customer 一、申请Vendor 1、成为一个 MDM Vendor (1)首先你需要拥有一个 Apple Enterprise account($299/年); (2)访问 https://developer.apple.com/contact/submit.php,在这里你可以申请成为一个 MDMVendor:苹果的承诺是一个工作日内处理完毕,处理好会向你的邮箱发送一封通知邮件,并在邮件中提供一些 MDM 相关的文档链接。实际上的时间可能会比这个稍长一些,以笔者为例,是在一个半天后收到亚洲苹果的邮件回复。如果申请得到同意,则会在Portal 的 Add Certificate 中多出一个“MDM CSR”选项。 2、创建证书申请 打开钥匙串,点击“钥匙串访问->证书助理->从证书颁发机构请求证书”,创建一个 CSR。将此 CSR 存储至磁盘。记住“Common Name”字段应该是私钥的名字,创建CRS 时会同时创建一个私钥,这个私钥名字(Common Name)会显示在钥匙串中。 3、导出私钥 在钥匙串中选择创建 CSR 时的私钥,导出为vendor.p12文件。导出时会要求你设置私钥密码。请记住这个密码。 注意,如果使用 mdm_vendor_sign.py 对 customer 的 csr 进行签名,则需要将私钥导出为 pem 格式(.key文件): openssl pkcs12 -in vendor.p12 -nocerts -out vendor.key 会要求你输入3次密码:vendor.p12 的密码、vendor.key 的密码、vendor.key 的密码。 4、提交 CSR登录 Portal,进入 Certificates->All,点击 Add Certificate(“+”按钮),选择Production 下的“MDM CSR” 。 点 Continue->Continue,上传第二步中创建的 CSR,然后点 Generate。 点击 Download,将得到一个 mdm.cer。 5、证书转换:cer->pem 下载苹果 WWDR 证书和苹果根证书: http://www.apple.com/certificateauthority/ 转换 mdm.cer,WWCR 证书和苹果根证书为 pem 格式: openssl x509 -inform der -in mdm.cer -out mdm.pem openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem 注意:如果你使用mdm_vendor_sign.py 脚本签名 vendor 的 plist 文件,则 此步可省略。 二、MDM Customer 1、创建一个 CSR 使用钥匙串创建 CSR,记住密钥对常用名称(便于导出)。 导出 CSR。文件名: MDMCustomer.csr。 2、转换 CSR->cer openssl req -inform pem -outform der -in customer.csr -out customer.der 注意,如果使用 mdm_vendor_sign.py 脚本可省略此步。 3、从 vendor 获取编码的 plist 文件 customer 将 MDMCustomer.csr 或者 MDMCustomer.csr 提交 vender。 剩下的事情由 vendor 进行。作为 vendor,需要用 mdm_vendor_sign.py 脚本命令( mdmvendorsign-master.zip)或者softthink 的 java 代码(Softhinker.zip)对 customer 提交的 customer.der 进行签名。 这两个工具的下载地址: https://github.com/grinich/mdmvendorsign http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning/Softhinker.zip?attredirects=0&d=1 以下我们以 mdm_vendor_sign.py 为例。 执行命令: python mdm_vendor_sign.py --csr MDMCustomer.csr --key 'vendor.key' --mdm mdm.cer 执行结果将生成一个 plist_encoded 文件。 注意,mdm_vendor_sign.py 脚本只需要3个文件:customer 的 CSR、mdm 私钥、mdm 证书。它不需要 WWDR 证书和苹果根证书,也不需要进行复杂的证书格式转换。WWDR和苹果根证书的下载以及 pem 格式转换都是由脚本自动进行的。因此要比用 java 代码签名简单得多。 4、上传 plist 用你的 Apple ID 登录 https://identity.apple.com/pushcert/ ,点击“Create aCertificate”,上传 plist 文件。 使用 java 代码签名的请注意,不要上传 plist.xml,而是上传 plist_encoded。 上传后会产生一个 APNS 证书,下载后得到一个 .pem 文件(为方便使用,改名为 push_cert.pem)。双击 .pem 文件将证书安装到钥匙串中。打开钥匙串,看看到该证书名为“APSP:”,如下图所示: |
Safari获取UDID需要安装.mobileconfig文件,
但是,我们在安装了.mobileconfig后,返现配置描述文件打 开显示“unsigned” 或者“尚未签名”这样的情况,所以接下来的工作就是让我们的.mobileconfig文件看起来更加安全一些。
.mobileconfig签名网络上大多都是使用ssl证书进行签名,可以参考
http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
本文主要讲,使用苹果开发者证书进行签名达到目的,本文两种方法,一种是刀耕火种的一步步操作,一种使用脚本签名
1.从钥匙串(keychain)中导出证书
实用工具->钥匙串访问->选择要导出的证书,导出生成p12文件
2. p12换成pem格式
p12在线转换pem https://www.sslshopper.com/ssl-converter.html
(证书)cer.p12文件 转cer.pem文件
openssl pkcs12 -clcerts -nokeys -out cer.pem -in cer.p12
(私钥)key.p12文件转key.pem文件
openssl pkcs12 -nocerts -out key.pem -inkey.p12
3.下载 Apple Root Certificate 和 Apple Intermediate Certificate
(对于本篇文章 .mobileconfig文件的验证我使用了苹果的以下两个证书.
Apple Root Certificate(苹果根证书)
Apple Application Integration Certificate (苹果应用集成证书 )
你也可以使用这些证书或者苹果提供的其他证书 地址: http://www.apple.com/certificateauthority/
下载的文件中包括证书(cer)和私钥(key)
(在命令行中读取证书,参考链接 info.ssl.com/article.aspx?id=12149)
根据这个文件我们可以解压出来证书.
1
2
3
4
5
6
|
解压
Apple
Root
Certificate证书
.
然后解压
Apple
Intermediate
Certificate
openssl
x509
-
inform
DER
-
outform
PEM
-
in
AppleIncRootCertificate
.
cer
-
out
root
.
crt
.
pem
openssl
x509
-
inform
DER
-
outform
PEM
-
in
AppleAAICA
.
cer
-
out
Intermediate
.
crt
.
pem
在文本编辑器中打开两个解压出来的文件
复制并且粘贴
Intermediate
.
crt
.
pem
到
root
.
crt
.
pem的开始位置
,保存
,然后你的
root
.
crt
.
pem文件就是两个证书合并的结果
|
上边所有文件准备号后,运行命令行工具,运行以下命令
1
|
openssl
smime
-
sign
-
in
Example
.
mobileconfig
-
out
SignedVerifyExample
.
mobileconfig
-
signer
InnovCertificates
.
pem
-
certfile
root
.
crt
.
pem
-
outform
der
-
nodetach
|
结果就是签名并且验证后的 .mobileconfig文件
借助于强大的github,找到了一个python脚本进行签名
地址:https://github.com/nmcspadden/ProfileSigner
1.签名一个mobileconfig
profile_signer.py与 mobileconfig 放在同一目录,终端进入目录执行
1
|
.
/
profile_signer
.
py
-
n
"3rd Party Mac Developer Application"
encrypt
AcrobatPro
.
mobileconfig
AcrobatProEnc
.
mobileconfig
|
2.签名并且验证一个mobileconfig
1
|
.
/
profile_signer
.
py
-
n
"3rd Party Mac Developer Application"
both
AcrobatPro
.
mobileconfig
AcrobatProBoth
.
mobileconfig
|
"3rd Party Mac Developer Application "为你的证书在钥匙串中的全名,选择证书,显示简介,复制常用名称即可,比如
iPhone Developer: jakey.shao [email protected] (W26TLNwW63)
iPhone Distribution: XXX Network Technology Co., Ltd. (L5T8PFT6T5)
发现未签名变成了已签名,红色变成了绿色啦.安装的时候没有警告啦...茉莉花香啊!!!
传送门 通过Safari浏览器获取iOS设备UDID(设备唯一标识符)
参考文章&英文原文:
http://stackoverflow.com/questions/28355902/ios-mobileconfig-file-still-not-verified-but-close-i-see-certification
Note: this does not push your configuration to an iPhone. The user of the iPhone must go to a web address and install a configuration profile.
Suppose that you have a few iPhones that you need to support, but you don't want to spend the time typing in all of the e-mail (IMAP or POP), LDAP, wireless network, or other settings into each phone. Perhaps you have found Apple's Enterprise Deployment Guide but you don't really feel like setting up a whole SCEP Certification Authority to get things done either since your requirements are so simple. But you do realize that it is much easier to tell your user to go to https://example.com/iphone/ on their iPhone than to step them through all the individual setup routines.
Amazingly enough, there is not much documentation out there on how to hand-roll a .mobileconfig file that you can pass out on an HTTPS server to your users. We also want it to be "Verified" by the iPhone so that your users can see it is from you. While they can install untrusted profiles, it sure adds a nice touch to have the green checkmark.
Perhaps you've scoured the Internet since you've read that you can "just use openssl smime
" to sign your .mobileconfig file, but no one seems to tell you how. We'll go over that here as well.
This file will contain all the configuration you want for your users' iPhones. I believe you can use Apple's iPhone Configuration Utility to create this file. You don't have to, but it'll probably save you some typing.
The Enterprise Deployment Guide defines the syntax of the profiles in Appendix B. You can do some pretty fancy request/response scripting between the phone and your server, but I'll just go over a simpler method that just sends a configuration file from your web server to their phone.
Your .mobileconfig file will end up looking something like this:
PayloadContent PayloadDisplayName LDAP Settings PayloadType com.apple.ldap.account PayloadVersion 1 PayloadUUID 6df7a612-ce0a-4b4b-bce2-7b844e3c9df0 PayloadIdentifier com.example.iPhone.settings.ldap LDAPAccountDescription Company Contacts LDAPAccountHostName ldap.example.com LDAPAccountUseSSL LDAPAccountUserName uid=username,dc=example,dc=com LDAPSearchSettings LDAPSearchSettingDescription Company Contacts LDAPSearchSettingSearchBase LDAPSearchSettingScope LDAPSearchSettingScopeSubtree LDAPSearchSettingDescription Sales Departments LDAPSearchSettingSearchBase ou=Sales,dc=example,dc=com LDAPSearchSettingScope LDAPSearchSettingScopeSubtree PayloadDisplayName Email Settings PayloadType com.apple.mail.managed PayloadVersion 1 PayloadUUID 362e5c11-a332-4dfb-b18b-f6f0aac032fd PayloadIdentifier com.example.iPhone.settings.email EmailAccountDescription Company E-mail EmailAccountName Full Name EmailAccountType EmailTypeIMAP EmailAddress [email protected] IncomingMailServerAuthentication EmailAuthPassword IncomingMailServerHostName imap.example.com IncomingMailServerUseSSL IncomingMailServerUsername [email protected] OutgoingPasswordSameAsIncomingPassword OutgoingMailServerAuthentication EmailAuthPassword OutgoingMailServerHostName smtp.example.com OutgoingMailServerUseSSL OutgoingMailServerUsername [email protected] PayloadOrganization Your Organization's Name PayloadDisplayName Organization iPhone Settings PayloadVersion 1 PayloadUUID 954e6e8b-5489-484c-9b1d-0c9b7bf18e32 PayloadIdentifier com.example.iPhone.settings PayloadDescription Sets up Organization's LDAP directories and email on the iPhone PayloadType Configuration
I'll talk just briefly about the configuration above. The iPhone, as far as I can tell, uses the UUIDs to know whether or not it is replacing or installing a new profile onto the phone. On a Mac or Linux box, you can generate a UUID with the command uuidgen
. You'll notice that I did not include any passwords above. With these settings, the iPhone will prompt the user for their e-mail password upon installation of the profile. (The LDAP password will be prompted on first use if logging in fails.)
I actually wrote a PHP script that would take a template .mobileconfig file for me and fill in the username fields for me depending on PHP_AUTH_USER. After you get the basics down, you can go back and do that. There is also a way to encrypt the .mobileconfig files, but we are not covering that here.
This is the part that no one else seems to go over. Signing your configuration profile is an optional step, but it's not too hard if you already have an X.509 web server or email certificate.
For this step, I'll use the following notations:
company.mobileconfig
is your unsigned configuration profileserver.crt
is your server's certificate to sign the profile withserver.key
is your server's private keycert-chain.crt
is the certificate bundle for the CA that issued your server's certificate.signed.mobileconfig
will be your signed configuration profileOnce you have all the files listed above, you will run a command like the following:openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile cert-chain.crt -outform der -nodetach
The -outform der
and -nodetach
are your real tickets here in getting it into a form that the iPhone wants. Now you take signed.mobileconfig
and move on to the next step!
Help for those that will use PHP scripting: You'll want to look at openssl_pkcs7_sign()
function with the $flags
field set to 0. This will create a file that is base-64 encoded. After you strip off the e-mail headers at the top, you can base64_decode()
to get the same output. For example:$mobileconfig = base64_decode(preg_replace('/(.+\n)+\n/', '', $signed, 1));
Okay, it'll probably work on your HTTP server as well. Just another configuration I didn't bother testing.
There is just one caveats when it comes to serving up this file. It needs to be served up with a MIME Content-Type of application/x-apple-aspen-config
. You may be able to do this by adding a line to your server's configuration or .htaccess file in the folder with:
AddType application/x-apple-aspen-config .mobileconfig
If serving the file from within PHP, you may do something like:
header('Content-type: application/x-apple-aspen-config; chatset=utf-8'); header('Content-Disposition: attachment; filename="company.mobileconfig"'); echo $mobileconfig;
Get your iPhone and load up Safari. Go to the web address of where your profile is saved, e.g. https://www.example.com/iphone/. Your phone should prompt you to install the profile.
You can see and remove profiles from Settings > General on your iPhone. Note, that it IS possible to create a profile that cannot be removed except for by the original profile identifier and signed by the same authority. Be careful that you don't lock yourself out.
At this point, we are finished. See the Enterprise Deployment Guide for other configuration profiles that you can create. It doesn't let you create or set everything that I wish it did (especially when it comes to setting up IMAP defaults), but it lets you do quite a bit.
I hope that this helps you! This is obviously a very brief guide and I glazed over a few details. If you have any comments, let me know. My e-mail address can be deduced from the very bottom of the document.
-----
I hope this helps someone. Let me know if there are errors above and I'll update this document.
-W Gillespie (wgillespie, es2eng.com)
Last updated: 2011-06-27