I'm working on an iOS mobile device management project, and have been stuck on Over-The-Air enrollment for a few days.
In Phase 1 step 4 and Phase 2 step 1 of Apple's Offical OTA Doc, the profile server should send back the configuration profiles that are signed by the vendor, or the config file is shown with a red "unsigned" on an iPhone, so I asked for a MyCompanyRootCA.cert file from my company.
So my question is:
According to this documentation, I could use this openssl command to sign a profile:
openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile cert-chain.crt -outform der -nodetach
but how can I get private key(server.key) file and certificate bundle(cert-chain.crt), can I get these from MyCompanyRootCA.cer?
I have tried with these commands to create p12 file and attempted to get private key.
keytool -importkeystore -srckeystore existing-store.jks -destkeystore new-store.p12 -deststoretype PKCS12
openssl pkcs12 -in new-store.p12 -nocerts -out key.pem
openssl rsa -in key.pem -out server.key
Am I failing to use this command because the root ca certificate is just a public key and does not contain any private key?
I'm not quite familiar with all the signing process, if this is not a right way to do, please advice more on how to do signing, any help is appreciated, thank you.