苹果官网证书文件，待研究

苹果官网证书文件，待研究

http://www.apple.com/certificateauthority/

导读：MDM 证书申请流程（vendor及customer）整个流程分为两部分：vendor、customer 一、申请Vendor 1、成为一个 MDM Vendor （1）首先你需要拥有一个 Apple Enterprise account（$299/年）； （2）访问 https://developer.apple.com/contact/submit.php，在这里你可以申请成为一个 MDMVendor：苹果的承诺是一个工作日内处理完毕，处理好会向你的邮箱发送一封通知邮件，并在邮件中提供一些 MDM 相关的文档链接。实际上的时间可能会比这个稍长一些，以笔者为例，是在一个半天后收到亚洲苹果的邮件回复。如果申请得到同意，则会在Portal 的 Add Certificate 中多出一个“MDM CSR”选项。 2、创建证书申请 打开钥匙串，点击“钥匙串访问->证书助理->从证书颁发机构请求证书”，创建一个 CSR。将此 CSR 存储至磁盘。记住“Common Name”字段应该是私钥的名字，创建CRS 时会同时创建一个私钥，这个私钥名字（Common Name）会显示在钥匙串中。 3、导出私钥 在钥匙串中选择创建 CSR 时的私钥，导出为vendor.p12文件。导出时会要求你设置私钥密码。请记住这个密码。 注意，如果使用 mdm_vendor_sign.py 对 customer 的 csr 进行签名，则需要将私钥导出为 pem 格式（.key文件）： openssl pkcs12 -in vendor.p12 -nocerts -out vendor.key 会要求你输入3次密码：vendor.p12 的密码、vendor.key 的密码、vendor.key 的密码。 4、提交 CSR登录 Portal，进入 Certificates->All,点击 Add Certificate(“+”按钮)，选择Production 下的“MDM CSR” 。 点 Continue->Continue，上传第二步中创建的 CSR，然后点 Generate。 点击 Download，将得到一个 mdm.cer。 5、证书转换：cer->pem 下载苹果 WWDR 证书和苹果根证书: http://www.apple.com/certificateauthority/ 转换 mdm.cer，WWCR 证书和苹果根证书为 pem 格式： openssl x509 -inform der -in mdm.cer -out mdm.pem openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem 注意：如果你使用mdm_vendor_sign.py 脚本签名 vendor 的 plist 文件，则 此步可省略。 二、MDM Customer 1、创建一个 CSR 使用钥匙串创建 CSR，记住密钥对常用名称（便于导出）。 导出 CSR。文件名： MDMCustomer.csr。 2、转换 CSR->cer openssl req -inform pem -outform der -in customer.csr -out customer.der 注意，如果使用 mdm_vendor_sign.py 脚本可省略此步。 3、从 vendor 获取编码的 plist 文件 customer 将 MDMCustomer.csr 或者 MDMCustomer.csr 提交 vender。 剩下的事情由 vendor 进行。作为 vendor，需要用 mdm_vendor_sign.py 脚本命令（ mdmvendorsign-master.zip）或者softthink 的 java 代码（Softhinker.zip）对 customer 提交的 customer.der 进行签名。 这两个工具的下载地址： https://github.com/grinich/mdmvendorsign http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning/Softhinker.zip?attredirects=0&d=1 以下我们以 mdm_vendor_sign.py 为例。 执行命令： python mdm_vendor_sign.py --csr MDMCustomer.csr --key 'vendor.key' --mdm mdm.cer 执行结果将生成一个  plist_encoded 文件。 注意，mdm_vendor_sign.py 脚本只需要3个文件：customer 的 CSR、mdm 私钥、mdm 证书。它不需要 WWDR 证书和苹果根证书，也不需要进行复杂的证书格式转换。WWDR和苹果根证书的下载以及 pem 格式转换都是由脚本自动进行的。因此要比用 java 代码签名简单得多。 4、上传 plist 用你的 Apple ID 登录 https://identity.apple.com/pushcert/ ，点击“Create aCertificate”，上传 plist 文件。 使用 java 代码签名的请注意，不要上传 plist.xml，而是上传 plist_encoded。 上传后会产生一个 APNS 证书，下载后得到一个 .pem 文件(为方便使用，改名为 push_cert.pem)。双击 .pem 文件将证书安装到钥匙串中。打开钥匙串，看看到该证书名为“APSP:”，如下图所示：

Safari获取UDID需要安装.mobileconfig文件,
但是，我们在安装了.mobileconfig后，返现配置描述文件打 开显示“unsigned” 或者“尚未签名”这样的情况，所以接下来的工作就是让我们的.mobileconfig文件看起来更加安全一些。

.mobileconfig签名网络上大多都是使用ssl证书进行签名,可以参考

http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html

本文主要讲,使用苹果开发者证书进行签名达到目的,本文两种方法,一种是刀耕火种的一步步操作,一种使用脚本签名

一.导出苹果证书进行签名

1.从钥匙串(keychain)中导出证书

实用工具->钥匙串访问->选择要导出的证书,导出生成p12文件

2. p12换成pem格式

p12在线转换pem   https://www.sslshopper.com/ssl-converter.html

(证书)cer.p12文件 转cer.pem文件

openssl pkcs12 -clcerts -nokeys -out cer.pem -in cer.p12

(私钥)key.p12文件转key.pem文件

openssl pkcs12 -nocerts -out key.pem -inkey.p12

3.下载 Apple Root Certificate 和 Apple Intermediate Certificate

(对于本篇文章 .mobileconfig文件的验证我使用了苹果的以下两个证书.

Apple Root Certificate(苹果根证书)

Apple Application Integration Certificate (苹果应用集成证书 )

你也可以使用这些证书或者苹果提供的其他证书 地址: http://www.apple.com/certificateauthority/

下载的文件中包括证书(cer)和私钥(key)

(在命令行中读取证书,参考链接 info.ssl.com/article.aspx?id=12149)

根据这个文件我们可以解压出来证书.

1 2 3 4 5 6

解压 Apple Root Certificate证书 . 然后解压 Apple Intermediate Certificate openssl x509 - inform DER - outform PEM - in AppleIncRootCertificate . cer - out root . crt . pem openssl x509 - inform DER - outform PEM - in AppleAAICA . cer - out Intermediate . crt . pem   在文本编辑器中打开两个解压出来的文件 复制并且粘贴 Intermediate . crt . pem 到 root . crt . pem的开始位置 ,保存 ,然后你的 root . crt . pem文件就是两个证书合并的结果

4.签名和验证.mobileconfig文件

上边所有文件准备号后,运行命令行工具,运行以下命令

1	openssl smime - sign - in Example . mobileconfig - out SignedVerifyExample . mobileconfig - signer InnovCertificates . pem - certfile root . crt . pem - outform der - nodetach

结果就是签名并且验证后的 .mobileconfig文件

二.脚本签名

借助于强大的github,找到了一个python脚本进行签名

地址:https://github.com/nmcspadden/ProfileSigner

1.签名一个mobileconfig

profile_signer.py与 mobileconfig 放在同一目录,终端进入目录执行

1	. / profile_signer . py - n "3rd Party Mac Developer Application" encrypt AcrobatPro . mobileconfig AcrobatProEnc . mobileconfig

2.签名并且验证一个mobileconfig

1	. / profile_signer . py - n "3rd Party Mac Developer Application" both AcrobatPro . mobileconfig AcrobatProBoth . mobileconfig

 

"3rd Party Mac Developer Application "为你的证书在钥匙串中的全名,选择证书,显示简介,复制常用名称即可,比如

iPhone Developer: jakey.shao xxxx@xxx.com (W26TLNwW63)

iPhone Distribution: XXX Network Technology Co., Ltd. (L5T8PFT6T5)

三.Safari安装

发现未签名变成了已签名,红色变成了绿色啦.安装的时候没有警告啦...茉莉花香啊!!!

传送门 通过Safari浏览器获取iOS设备UDID(设备唯一标识符)

参考文章&英文原文:

http://stackoverflow.com/questions/28355902/ios-mobileconfig-file-still-not-verified-but-close-i-see-certification

Over-the-air IPhone Setup Using a Signed .mobileconfig File

Note: this does not push your configuration to an iPhone. The user of the iPhone must go to a web address and install a configuration profile.

Suppose that you have a few iPhones that you need to support, but you don't want to spend the time typing in all of the e-mail (IMAP or POP), LDAP, wireless network, or other settings into each phone. Perhaps you have found Apple's Enterprise Deployment Guide but you don't really feel like setting up a whole SCEP Certification Authority to get things done either since your requirements are so simple. But you do realize that it is much easier to tell your user to go to https://example.com/iphone/ on their iPhone than to step them through all the individual setup routines.

Amazingly enough, there is not much documentation out there on how to hand-roll a .mobileconfig file that you can pass out on an HTTPS server to your users. We also want it to be "Verified" by the iPhone so that your users can see it is from you. While they can install untrusted profiles, it sure adds a nice touch to have the green checkmark.

Perhaps you've scoured the Internet since you've read that you can "just use openssl smime" to sign your .mobileconfig file, but no one seems to tell you how. We'll go over that here as well.

1) Create a configuration (.mobileconfig) file

This file will contain all the configuration you want for your users' iPhones. I believe you can use Apple's iPhone Configuration Utility to create this file. You don't have to, but it'll probably save you some typing.

The Enterprise Deployment Guide defines the syntax of the profiles in Appendix B. You can do some pretty fancy request/response scripting between the phone and your server, but I'll just go over a simpler method that just sends a configuration file from your web server to their phone.

Your .mobileconfig file will end up looking something like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple/DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDisplayName</key>
			<string>LDAP Settings</string>
			<key>PayloadType</key>
			<string>com.apple.ldap.account</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>PayloadUUID</key>
			<string>6df7a612-ce0a-4b4b-bce2-7b844e3c9df0</string>
			<key>PayloadIdentifier</key>
			<string>com.example.iPhone.settings.ldap</string>
			<key>LDAPAccountDescription</key>
			<string>Company Contacts</string>
			<key>LDAPAccountHostName</key>
			<string>ldap.example.com</string>
			<key>LDAPAccountUseSSL</key>
			<false />
			<key>LDAPAccountUserName</key>
			<string>uid=username,dc=example,dc=com</string>
			<key>LDAPSearchSettings</key>
			<array>
				<dict>
					<key>LDAPSearchSettingDescription</key>
					<string>Company Contacts</string>
					<key>LDAPSearchSettingSearchBase</key>
					<string></string>
					<key>LDAPSearchSettingScope</key>
					<string>LDAPSearchSettingScopeSubtree</string>
				</dict>
				<dict>
					<key>LDAPSearchSettingDescription</key>
					<string>Sales Departments</string>
					<key>LDAPSearchSettingSearchBase</key>
					<string>ou=Sales,dc=example,dc=com</string>
					<key>LDAPSearchSettingScope</key>
					<string>LDAPSearchSettingScopeSubtree</string>
				</dict>
			</array>
		</dict>
		<dict>
			<key>PayloadDisplayName</key>
			<string>Email Settings</string>
			<key>PayloadType</key>
			<string>com.apple.mail.managed</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>PayloadUUID</key>
			<string>362e5c11-a332-4dfb-b18b-f6f0aac032fd</string>
			<key>PayloadIdentifier</key>
			<string>com.example.iPhone.settings.email</string>
			<key>EmailAccountDescription</key>
			<string>Company E-mail</string>
			<key>EmailAccountName</key>
			<string>Full Name</string>
			<key>EmailAccountType</key>
			<string>EmailTypeIMAP</string>
			<key>EmailAddress</key>
			<string>username@example.com</string>
			<key>IncomingMailServerAuthentication</key>
			<string>EmailAuthPassword</string>
			<key>IncomingMailServerHostName</key>
			<string>imap.example.com</string>
			<key>IncomingMailServerUseSSL</key>
			<true />
			<key>IncomingMailServerUsername</key>
			<string>username@es2eng.com</string>
			<key>OutgoingPasswordSameAsIncomingPassword</key>
			<true />
			<key>OutgoingMailServerAuthentication</key>
			<string>EmailAuthPassword</string>
			<key>OutgoingMailServerHostName</key>
			<string>smtp.example.com</string>
			<key>OutgoingMailServerUseSSL</key>
			<true />
			<key>OutgoingMailServerUsername</key>
			<string>username@example.com</string>
		</dict>
	</array>
	<key>PayloadOrganization</key>
	<string>Your Organization's Name</string>
	<key>PayloadDisplayName</key>
	<string>Organization iPhone Settings</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>PayloadUUID</key>
	<string>954e6e8b-5489-484c-9b1d-0c9b7bf18e32</string>
	<key>PayloadIdentifier</key>
	<string>com.example.iPhone.settings</string>
	<key>PayloadDescription</key>
	<string>Sets up Organization's LDAP directories and email on the iPhone</string>
	<key>PayloadType</key>
	<string>Configuration</string>
</dict>
</plist>
		

I'll talk just briefly about the configuration above. The iPhone, as far as I can tell, uses the UUIDs to know whether or not it is replacing or installing a new profile onto the phone. On a Mac or Linux box, you can generate a UUID with the command uuidgen. You'll notice that I did not include any passwords above. With these settings, the iPhone will prompt the user for their e-mail password upon installation of the profile. (The LDAP password will be prompted on first use if logging in fails.)

I actually wrote a PHP script that would take a template .mobileconfig file for me and fill in the username fields for me depending on PHP_AUTH_USER. After you get the basics down, you can go back and do that. There is also a way to encrypt the .mobileconfig files, but we are not covering that here.

Sign the .mobileconfig file

This is the part that no one else seems to go over. Signing your configuration profile is an optional step, but it's not too hard if you already have an X.509 web server or email certificate.

For this step, I'll use the following notations:

• company.mobileconfig is your unsigned configuration profile
• server.crt is your server's certificate to sign the profile with
• server.key is your server's private key
• cert-chain.crt is the certificate bundle for the CA that issued your server's certificate.
• signed.mobileconfig will be your signed configuration profile

Once you have all the files listed above, you will run a command like the following:
openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile cert-chain.crt -outform der -nodetach

The -outform der and -nodetach are your real tickets here in getting it into a form that the iPhone wants. Now you take signed.mobileconfig and move on to the next step!

Help for those that will use PHP scripting: You'll want to look at openssl_pkcs7_sign() function with the $flags field set to 0. This will create a file that is base-64 encoded. After you strip off the e-mail headers at the top, you can base64_decode() to get the same output. For example:
$mobileconfig = base64_decode(preg_replace('/(.+\n)+\n/', '', $signed, 1));

Serve up the file on your HTTPS server

Okay, it'll probably work on your HTTP server as well. Just another configuration I didn't bother testing.

There is just one caveats when it comes to serving up this file. It needs to be served up with a MIME Content-Type of application/x-apple-aspen-config. You may be able to do this by adding a line to your server's configuration or .htaccess file in the folder with:

<IfModule mod_mime.c>
	AddType application/x-apple-aspen-config .mobileconfig
</IfModule>

If serving the file from within PHP, you may do something like:

header('Content-type: application/x-apple-aspen-config; chatset=utf-8');
header('Content-Disposition: attachment; filename="company.mobileconfig"');
echo $mobileconfig;

Try it out on your iPhone

Get your iPhone and load up Safari. Go to the web address of where your profile is saved, e.g. https://www.example.com/iphone/. Your phone should prompt you to install the profile.

You can see and remove profiles from Settings > General on your iPhone. Note, that it IS possible to create a profile that cannot be removed except for by the original profile identifier and signed by the same authority. Be careful that you don't lock yourself out.

Finished!

At this point, we are finished. See the Enterprise Deployment Guide for other configuration profiles that you can create. It doesn't let you create or set everything that I wish it did (especially when it comes to setting up IMAP defaults), but it lets you do quite a bit.

I hope that this helps you! This is obviously a very brief guide and I glazed over a few details. If you have any comments, let me know. My e-mail address can be deduced from the very bottom of the document.

See Also

• Retrieving an iPhone response using PHP

-----
I hope this helps someone. Let me know if there are errors above and I'll update this document.
-W Gillespie (wgillespie, es2eng.com)

Last updated: 2011-06-27