MDM push certificate creation
https://stackoverflow.com/questions/8007112
-
21-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm interesting in creation of PushCertWebRequest (this is from apple documentation) I have found a lot of docs how to do this for 3rd party vendors like Air-watch and so on, but they skip last step where they are working with your .p12 certificate. I mean process when you should create PushCertWebRequest and upload it to https://identity.apple.com/pushcert
So my question is how to create a Push Certificate Request plist. the example of this plist should be following (this is from apple doc)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PushCertRequestCSR</key>
<string>
MIIDjzCCAncCAQAwDzENMAsGA1UEAwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD
</string>
<key>PushCertCertificateChain</key>
<string>
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIIQcQgtHQb9wwwDQYJKoZIhvcNAQEFBQAwUjEaMBgGA1UE
AwwRU0FDSSBUZXN0IFJvb3QgQ0ExEjAQBgNVBAsMCUFwcGxlIElTVDETMBEGA1UE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIIBInl9fQbaAkwDQYJKoZIhvcNAQEFBQAwXDEkMCIGA1UE
AwwbU0FDSSBUZXN0IEludGVybWVkaWF0ZSBDQSAxMRIwEAYDVQQLDAlBcHBsZSBJ
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIIKRyFYgyyFPgwDQYJKoZIhvcNAQEFBQAwXDEkMCIGA1UE
AwwbU0FDSSBUZXN0IEludGVybWVkaWF0ZSBDQSAxMRIwEAYDVQQLDAlBcHBsZSBJ
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIIdv/cjbnBgEgwDQYJKoZIhvcNAQEFBQAwUjEaMBgGA1UE
AwwRU0FDSSBUZXN0IFJvb3QgQ0ExEjAQBgNVBAsMCUFwcGxlIElTVDETMBEGA1UE
-----END CERTIFICATE-----
</string>
<key>PushCertSignature</key>
<string>
CGt6QWuixaO0PIBc9dr2kJpFBE1BZx2D8L0XH0Mtc/DePGJOjrM2W/IBFY0AVhhEx
</string>
Finally I created PushCertRequestCSR and PushCertSignature, but I don't really know how to create PushCertCertificateChain block.
Solution
Please see detailed steps and source code here to generate plist.
OTHER TIPS
I ported the softhinker java code to python, and added a few nice things. It's available on GitHub: http://www.github.com/grinich/mdmvendorsign.
create a CSR using any toolkit, i.e. KeyChain Access on Mac System, then export private key as 'vendor.p12'
log in to Apple Member Center, and go to 'iOS Provisioning Portal'
select 'Certificates' on the left navigation bar, and click 'Other' tab on the center.
follow the instruction on that page, and upload the CSR you created.
then the certificate for you as a MDM vendor will be available to download on the 'Other' tab. And download it.
download WWDR intermediate certificate.
download Apple root certificate.
execute below openssl command to convert MDM vendor certificate, WWDR certificate, and Apple root certificate to PEM format one by one :
openssl x509 -inform der -in mdm_identity.cer -out mdm.pem
openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem
openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem
Then use the attached Java program in the softthinker webpage to generate encoded plist. You need to replace the placeholder in the java package with your own ones because the provided on the java package is just sample one(zero size) which are:
customer.der, vendor.p12, mdm.pem, intermediate.pem, root.pem
Now first verify the generated plist.xml format that should match with the sample plist.xml provided in MDM Protocol Reference document.
If plist.xml is in appropriate format then upload the encoded_plist to portal . So we need to take care that plist.xml is just for our reference this is not for upload.For upload encoded_plist only. After that download the certificate from portal.
