问题
Following the issue in iOS MDM Enrollment Profile Request of /profile to sign the certificate using java
Now I almost get some of the functionalities working. based on the OTA configuration provided at https://developer.apple.com/library/ios/documentation/networkinginternet/conceptual/iphoneotaconfiguration/Art/ota_developer_flow_chart.jpg
I am currently on Phase 2 Step 3 where i am trying to pass a CA to the device.
Below are the request calls made from the device:
- /enroll
- /profile
- /scep?operation=GetCACert&message=EnrollmentCAInstance
- /scep?operation=GetCACaps&message=EnrollmentCAInstance
- /scep?operation=PKIOperation&message=MMIC....
Certificate which i am trying to send is a trusted Verisign certificate. I have a verisign.cer and verisign.pem file which i am trying to send.
I get the following messages on the device starting from step 1 to 5 :
Installing Profile > Generating Key > Enrolling Certificate > The SCEP server returned an invalid response.
I am stuck at step 5, device shows an error prompt "Profile Installation failed. The SCEP server returned an invalid response".
I first tried sending the .pem file through java later tried to send a plist shown below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadCertificateFileName</key>
<string>Class 3 Public Primary Certification Authority</string>
<key>PayloadContent</key>
<data>MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJpSTbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNHciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZpA==</data>
<key>PayloadDescription</key>
<string>Provides device authentication </string>
<key>PayloadDisplayName</key>
<string>Class 3 Public Primary Certification Authority</string>
<key>PayloadIdentifier</key>
<string>com.myapp.deviceapi.cert.credential</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.security.pkcs1</string>
<key>PayloadUUID</key>
<string>7CBBABB4-98C5-41BF-9B87-7ACECB17471A</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Profile description.</string>
<key>PayloadDisplayName</key>
<string>Profile Name 9</string>
<key>PayloadOrganization</key>
<string>myapp</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5724A872-2D9E-49D1-B4EF-0E59C05C0B9B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
The mimetype sent as a response for the certificate is = "application/x-pki-message".
It still gives error "Profile Installation failed. The SCEP server returned an invalid response". sending the plist.
What is this error all about? I am unable to trace the actual issue.
For now i am passing only one certificate. What if I have multiple certificates to be attached? How can i pass multiple certificates? Example is Meraki of Cisco which passes multiple certifcates to the device on enrollment.
Kindly help!!
Also pasting the SCEP configuration which is mentioned in OTA document on similar basis i created below scep specification: (this is what we pass in Phase 2 Step 1)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>Ignored</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadIdentifier</key>
<string>Ignored</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>URL</key>
<string>http://myserver-url/deviceapi/ios/scep</string>
<key>Name</key>
<string>EnrollmentCAInstance</string>
<key>Subject</key>
<array>
<array>
<array>
<string>O</string>
<string>myapp ltd</string>
</array>
</array>
<array>
<array>
<string>CN</string>
<string>myapp mdm cert</string>
</array>
</array>
</array>
<key>Challenge</key>
<string>challengesessionvalue1234</string>
<key>Keysize</key>
<integer>1024</integer>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures SCEP</string>
<key>PayloadUUID</key>
<string>fd8a6b9e-0fed-406f-9571-8ec98722b713</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadDisplayName</key>
<string>SCEP (myapp Inc)</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadOrganization</key>
<string>myapp</string>
<key>PayloadIdentifier</key>
<string>com.example.profileservice.scep</string>
</dict>
</array>
</dict>
</plist>
Please let me know is there anything wrong with my specifications.
Thanks.. :)
Edit: MDM - Credentials
Below is the mdm payload with credetials of PKCS12 certificate being installed.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadCertificateFileName</key>
<string>localhost</string>
<key>PayloadContent</key>
<data>
MIIK6gIBAzCCCqoGCSqGSIb3DQEHAaCCCpsEggqXMIIKkzCCBdQG
CSqGSIb3DQEHAaCCBcUEggXBMIIFvTCCBbkGCyqGSIb3DQEMCgEC
oIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjtDXjBznRs1QICB9AE
ggTYkRxcS4EDfGpcLg4atoCNVS9mCgkzQV0yna3X6BnxJXMct8JG
3yP7Sv+Avagz5oL699PMgWRgohBRASDKpRZdzBIJqX5IxvyIQDXL
1s6YP/v9Pb4ZPBf5FItOiVvuuwhaZEuXEpWEmk987bF5kDpZfEAs
rAu9TJqpsGvUzHLYdl8MgUlgxYdZl8YT6pyvgCBJcOtaC+uh9AtZ
w+oI/xXeIxaA8HIzpyLm5n7SblEc+cotCipIlCXCEJmCmGFdO8Rf
UArT3gL2i3x/5AAxTJs1Z+M71L4pglv1dEO+eSZqg6rZTwXtE5Jt
qPmgCS+PbuYlbP8hAVpwRpiEVynccZDOV0O1gTKgp8AOrSaKTv4Y
ffCIr6oVeEyWTCuei+UWkuO/BaoaNx4QG+gDVpJneJ08wsYPdHcE
nzykutrR2nVIcqf/StW9YYQtfKzYCmIMMqKDzO0nnjpKTkZYZfmu
m5eH65PBC2ZvGhet8q1ErG/GjUbKmDQdDaDhrmLNH6XCueo4/DTx
ImVvhm/zRhcKtoEoNag1R9PExpr2DqRm2eMtb7UEWRI7KNHyVW5q
JCyjb2gXGDWLIZGUl8aKvpCrOHc/N0ZGHVHz9FDzYUBQz8Wat2ky
avtOrLrHKimMjqGgk3vmwEK7H+YwhuXKXOXVsjGoK8qShie2JTLC
hCPA0HsachyS/hOoYe7VoZXK2LFT4wn4wDxcI1qowA8SJITxsxCj
xaSf1o9qPkT16CL3+oVpPyU/aTxIKMPwrNW5RQZqwUySwchytHkQ
fZ8ql8SPS+79QGlgk/guE8OdBN656chK2XSV6bNmn+K1JkFCN0BO
kU1LspcCLQ3u87sLL69MLYPoIcdSXBB6FC4GcdFl18pDB5VbXjjq
wVgdgCRel5+5y10YzqHpdr2KlaCCO9HajfX0Sqt2AbLwAqOGk0XC
Mz8Hz83O0aZD/F/EKPHWGiYNGloKsVTVOaqR46YK078fn6/2/BTd
pXxboCAig9P7TOTQ6H70SdjuTaz36bani3LNA9GAgJ+mzm2WnloN
hFZy1mZ3RVqRInBhfjwSpyg6KbFBE1XnjUiR2Qp12zOfL5ec/L2Y
9J/kDVVEY5rDHOvLzFfzvGzAPehn1V/SYZZIBvJd8nBHWoxw2aSj
U9BMSet1S6zGV9jFDDAFBWuf5q3cCK2TqLxj9j+5f+mceFDagA8s
NU47XZHnYI1QeNMXe33gC34gIinlQsCfCgQPnNDeT1ulxnySSQZL
D9Puen/xEbxVBairzJwamyb7y52wP2e77zGdSJcQoBTxSKkOBRiF
jr7enjDnbDt6ved/PLAmbKHiFgDG1iWWJb5Tt5xcbfEDYJryJYs+
t0N8ZU4yKC99F5jXdIXbZCa39UK1V3b/PBr2idGi7nKKAhkDUbRp
gJlGXehE0VYUNsP9jDD3WxxyNS2eRAgofYR45+Jmzd3dxNdOohen
fR2TAkjZ4WDRLWDJ+aZXfpPFsEE5ORSEo11L6EFl1j/7j9H9vF/J
QO0+EdLywtlC6NmfJZsgVD/zNUyIiGam5C3zDGWkbf5IpKm3j3ML
YcrJgjVvKQsfxV8JbzYmWBUO6+LoSnImlLj2ZXOtFSC0DccrSR/i
SkKwpbGl2mauz/cOKr4jZ8Ddlp5SiX5gSKGAYAd05tJbBjGBpzAT
BgkqhkiG9w0BCRUxBgQEAQAAADAjBgkqhkiG9w0BCRQxFh4UAHEA
aABtAGQAbQBzAHQAbwByAGUwawYJKwYBBAGCNxEBMV4eXABNAGkA
YwByAG8AcwBvAGYAdAAgAEUAbgBoAGEAbgBjAGUAZAAgAEMAcgB5
AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIA
IAB2ADEALgAwMIIEtwYJKoZIhvcNAQcGoIIEqDCCBKQCAQAwggSd
BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBBjAOBAjSasdoShqGBAIC
B9CAggRwr6MRhXWIAuyqxWfmtsFfW4og5sR1BA4AdYAQmIStO00U
pvpm/aFJh6uFCjStXiZAY7YgYeJOFJ9p5O5kE3TDByJ3ZNiH1akH
m2nTpv8vDUoeHycbheC+EdKX95OC+MlABM/jSnw0XgDkcnZ3DbVQ
I18aWFFWr05Y9baxB0Vwtspn1lDAG9p3iN3j/D7Yeh1d0/4eoSWr
9X++tPvTbbM8lVUNj9TD2DD+NF4DCsMlZLrDQYaCSYLd526wLh0n
zwG2r1L6xhByvicTLkqqAkthNJ3iaEHMPZ7zDtJ8ptiYtg6bkXVZ
6XO4SE8ZZPb+5/ndOutAzzDMu1MYGndJnp/QCjqBOW21UI9U8vyg
haroHaRl4NBpNdxpr1PIsjVIE+pCfldFCZ25akE46q/azkTJKF4n
wnjDWfjzOq7i7aLasHHWKpTvh8e1lYC/aw9mCoBIbYUgcihzY36w
/qWs4mfErRwfuWRgEB5pcqxgnCgCtr2Fe/xPeCb1MuvUVYGBt3ja
KRRZbwmDhHgMH/hDso3ThkcaklQOxH89y2v4CtBj0V/iJjWLgzjk
8gg2FKLd/mcZTcwdzvIuJaDEVGDQGoH1glxl5dXCvpsZU+ZHT3hw
H0Ny685G+QDPZxa9Jdj36p75McCJENu7qu4++Y2CrSc9TeN8W9Q+
o82ct7wfFYurCMP575Tk/jYyEfNXdVoYUUJQlp7/gR7A94Ej4R8n
/LDyPg4KgIPWLR2S6aCRUN2/ESKUpiXkF0jnwgjn7BVFuRzN0F51
SjWPu6nuHJJnD19TVdDmLUW4bMIeBRJVjwO0eu13jUA+Ho7lVcJ8
VWmXP5xZ5rIREjU9ar01jbOtZYRI7xHK9sZaHWEAVsL4Z5+rM2yK
fE/zxRNpRqmnjmWeEWbXMxkACrYzTXZXkH9kvCqu74z1j51TEl6b
dsCM8ps6giXLY3C8xmIEOM6wAigkJh8TzsAB8LRyIKa4suwTYLDN
r9NhAAJcslzHSKGs5+dZYS10OakjgQJIpAQ4ndW1ayH7WBTNzJ7H
Wb64jL0t4uETpS3DZENqwOi8xlsxilGnzbaKPy1AuJvj4meZ6Sjd
GzM1c0x4+GrfrUEU227QXm8CzrJrscw3VF30CNFZThHXDtzEL1l8
+IQ4rY5ITtRoMm6+LNCAY8oOFUaAL07NhRllRS/MTUucnLjNzjLA
Iy8GMltqERplck38BnkuYGlko8uE4OkqfbpL8RaIkW+5SAICf30I
WTQRF5LRWfHwJNKNWPClFxqt9gZisMGJyXKtLQZAyEjATNU7ziVK
9w3KzT/dbxkDMRT9dciazXUZBTYh1jYPMpqpXUhYTuxPnMkRlDB5
b6o3AoeaVpb9fg0APRVALWXJmTtww/wc+fVpnY4TBoLUlWuUFHeO
ix0GZfSE07SfK3dy7PNtGdiIBp/TkEEXxTROqpZ5cQXzpdX4+lNM
t9Srv3MbRPbXMwGi+8UeXMN+VHKOZrrjmgXTyItp9Pc0ohDsH/3a
5xymKuGAOb+8NL4wNzAfMAcGBSsOAwIaBBTjRVHGzvf6MX6e7vpc
sy0ACsE/ugQUmgpxIC70yqmN6+FSpWkr4hkXNMA=
</data>
<key>PayloadDescription</key>
<string>Provides device authentication (certificate or identity).</string>
<key>PayloadDisplayName</key>
<string>localhost</string>
<key>PayloadIdentifier</key>
<string>com.myserver.test.credential1</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>CEB5AD2E-97A2-4B59-96AA-56B2B1732528</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>AccessRights</key>
<integer>8191</integer>
<key>CheckInURL</key>
<string>https://10.10.25.153:8443/company/checkin</string>
<key>CheckOutWhenRemoved</key>
<true/>
<key>IdentityCertificateUUID</key>
<string>CEB5AD2E-97A2-4B59-96AA-56B2B1732528</string>
<key>PayloadDescription</key>
<string>Configures MobileDeviceManagement.</string>
<key>PayloadIdentifier</key>
<string>com.myserver.test.mdm2</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.mdm</string>
<key>PayloadUUID</key>
<string>615074E6-4799-49FF-9107-CEF07FEEBC1A</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ServerURL</key>
<string>https://10.10.25.153:8443/company/checkin</string>
<key>SignMessage</key>
<true/>
<key>Topic</key>
<string>com.apple.mgmt.myserver.test</string>
<key>UseDevelopmentAPNS</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string>Profile description.</string>
<key>PayloadDisplayName</key>
<string>MDM Payload with Credentials</string>
<key>PayloadIdentifier</key>
<string>com.myserver.test</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>B6F82762-17FE-441A-8B4F-41F82E3A8E8C</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
回答1:
SCEP is quite complex protocol. You can't just send a .pem back or plist. As I remember you have to send a certificate encrypted/signed in PKCS7 envelope.
Frankly, you don't want to spend time figuring out this protocol and implementing it.
I would recommend to go with jSCEP library which implements it or EJBCA which implements it either.
BTW. You can just send a random certificate in the response to this SCEP request, you actually need to extract get CSR which is part of this request, sign it and send this newly created certificate back.
Your other option is use PKCS12. In this case, you don't need to have SCEP server. You just send certificate + private key in PKCS12 form. However, it's less secure option (because your server knows private key of a device).
回答2:
Here is what i did. To successfully install MDM Payload with a valid certificate in PKCS12 format.
Followed below steps.
- Created an SSL in .jks and converted it into .cer and .p12 format respectively.
- .JKS used for the server as a certificate to be hosted.
- Installed .cer first in the machine as a trusted root and then created an IPCU mobileconfig with credential payload containing the .cer file.
- Now installed the .p12 certificate in the machine. Created an MDM paylaod with MDM (Mobile Device Management) and Credentials in IPCU.
- Used the .p12 certificate in the credentials with its private key and linked this certificate with the Identity of the MDM payload.
- MDM Payload profile got successfully installed and the check-in (checkin) url was called internally with Authentication messagetype first and then the TokeUpdate messageType later.
来源:https://stackoverflow.com/questions/25073276/ios-mdm-enrollment-scep-specification-and-pkioperation-and-operation-pkioperatio