Identity certificate - IOS MDM -
i have few questions regarding identity certificate in profile payload.
forgive ignorance, if questions basic.
1.) found that, can either use scep standard or pkcs12 certificate directly device identification. scep recommended, since private key known device. in case if going implement scep server, need maintain list of public key of identity certificates mapped device, can use later encrypting?
2.) best possible way implement scep server.? there reliable robust methods available adopt instead of writing on our own?
3.) if identity certificate expired?
as basic version while playing around, tried add own p12 certificate payload without using scep.
i tried add base64 encoded p12 certificate in identity payloadcontent key,as mentioned in link reference. got error
the identity certificate “test mdm profile” not found
while installing profile.
identity_payload['payloadtype'] = 'com.apple.security.pkcs12' identity_payload['payloaduuid'] = "random-uuid-string" identity_payload['payloadversion'] = 1 identity_payload['payloadcontent'] = base64.encode64(file.read "identity.p12") identity_payload['password'] = 'p12secret'
when checked 'configuration profile key reference', mentioned should send binary representation of payload in data. tried,
identity_payload['payloadcontent'] = converttobinary(file.read "identity.p12")
i got,
the password certificate “identitycertificate” incorrect
i supplying valid password exporting p12 certificate.
what doing wrong?
answering question:
1) need maintain list of public key of identity certificates mapped device, can use later encrypting?
yes. need kind of mapping. can couple of ways:
- just store in db mapping between certificate common name , device udid.
- make cn contain udid (i method, because simplifies initial checks)
and pointed out need public key encrypt payloads device.
2) best possible way implement scep server.? there reliable robust methods available adopt instead of writing on our own?
there open source implementation of scep. example jscep have (i used it) , ejbca have (i used too). saw other implementation (in ruby , on). so, can find choose works stack.
3) need renew identity certificate before expeires (the same way other certificates).
4) if profile doesn't work, recommend create same profile in iphone configuration utility , compare yours. of time, missed 1 tag or (it take lot figure out without comparing working one).