Can I sign an iOS mobile configuration file with a root ca certificate

Question

I'm working on an iOS mobile device management project, and have been stuck on Over-The-Air enrollment for a few days.

In Phase 1 step 4 and Phase 2 step 1 of Apple's Offical OTA Doc, the profile server should send back the configuration profiles that are signed by the vendor, or the config file is shown with a red "unsigned" on an iPhone, so I asked for a MyCompanyRootCA.cert file from my company.

So my question is: According to this documentation, I could use this openssl command to sign a profile:

openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile cert-chain.crt -outform der -nodetach

but how can I get private key(server.key) file and certificate bundle(cert-chain.crt), can I get these from MyCompanyRootCA.cer?

I have tried with these commands to create p12 file and attempted to get private key.

keytool -importkeystore -srckeystore existing-store.jks -destkeystore new-store.p12 -deststoretype PKCS12

openssl pkcs12 -in new-store.p12 -nocerts -out key.pem
openssl rsa -in key.pem -out server.key

Am I failing to use this command because the root ca certificate is just a public key and does not contain any private key?

I'm not quite familiar with all the signing process, if this is not a right way to do, please advice more on how to do signing, any help is appreciated, thank you.

Answer 1

You cannot sign with a certificate only. A certificate contains only a public key and signing requires a private key.

Actually you need a signature certificate issued by the MyCompanyRootCA authority. This OpenSSL document explains how to generate a private key and a certificate request (CSR) for this key. With this CSR the CA service should be able to issue a signature certificate to sign your .mobileconfig file.

This is the most common process to get certificate from a CA but you should contact the CA operation people to know the exact process of certificate issuance.