身份证书 - IOS MDM
[英]Identity certificate - IOS MDM
问题描述
I have few questions regarding Identity certificate in Profile Payload. 
关于Profile Payload中的身份证书我几乎没有问题。
Forgive the ignorance, if some questions are basic. 如果有些问题是基本问题,请原谅无知。
1.) I found that, we can either use SCEP standard or PKCS12 certificate directly for device identification. 1.)我发现,我们可以直接使用SCEP标准或PKCS12证书进行设备识别。 SCEP is recommended, since private key will be known only to the device. 建议使用SCEP,因为只有设备才能知道私钥。 So in case If I am going to implement SCEP server, do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting? 因此,如果我要实现SCEP服务器,是否需要维护映射到设备的Identity证书的公钥列表,以便以后可以使用它进行加密?
2.) What is the best possible way to implement SCEP server.? 2.)实现SCEP服务器的最佳方法是什么? Is there any reliable robust methods available to adopt it instead of writing everything on our own? 是否有可靠的稳健方法可以采用它而不是自己编写所有内容?
3.) What if the identity certificate is expired? 3.)如果身份证书过期怎么办?
As a basic version while playing around, I tried to add my own p12 certificate to the Payload without using SCEP. 作为游戏时的基本版本,我尝试在不使用SCEP的情况下将自己的p12证书添加到Payload。
I tried to add the base64 encoded p12 certificate in the identity payloadcontent key,as mentioned in some link reference. 我尝试在identity payloadcontent键中添加base64编码的p12证书,如某些链接引用中所述。 I got an error 我收到了一个错误
The identity certificate for “Test MDM Profile” could not be found
while installing profile. 安装配置文件时。
identity_payload['PayloadType'] = 'com.apple.security.pkcs12'
identity_payload['PayloadUUID'] = "RANDOM-UUID-STRING"
identity_payload['PayloadVersion'] = 1
identity_payload['PayloadContent'] = Base64.encode64(File.read "identity.p12")
identity_payload['Password'] = 'p12Secret'
When I checked 'Configuration Profile key reference' , it was mentioned that I should send Binary representation of Payload in Data. 当我检查“配置文件密钥引用”时 ,提到我应该发送数据中的Payload的二进制表示。 So I tried, 所以我试过,
identity_payload['PayloadContent'] = ConvertToBinary(File.read "identity.p12")
I got, 我有,
The password for the certificate “IdentityCertificate” is incorrect
I am supplying valid password for exporting the p12 certificate. 我提供有效的密码用于导出p12证书。
What am I doing wrong? 我究竟做错了什么?
1 个解决方案
解决方案1
3 已采纳 2015-04-27 18:16:45
Answering your question: 回答你的问题:
1) Do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting? 1)我是否需要维护映射到设备的身份证书的公钥列表,以便以后可以使用它进行加密?
Yes. 是。 You need some kind of mapping. 你需要某种映射。 You can do couple of ways: 你可以做几种方式:
- Just store it in DB a mapping between certificate common name and device UDID. 只需将其存储在DB中,即证书通用名称和设备UDID之间的映射。
- Make CN contain UDID (I like this method, because it simplifies initial checks) 使CN包含UDID(我喜欢这种方法,因为它简化了初始检查)
And as you pointed out you will need public key to encrypt payloads for this device. 正如您所指出的那样,您需要使用公钥来加密此设备的有效负载。
2) What is the best possible way to implement SCEP server.? 2)实现SCEP服务器的最佳方法是什么? Is there any reliable robust methods available to adopt it instead of writing everything on our own? 是否有可靠的稳健方法可以采用它而不是自己编写所有内容?
There are open source implementation of SCEP. 有SCEP的开源实现。 As example jSCEP have it (I used it) and EJBCA have it (I used it too). 例如jSCEP有它(我用它)和EJBCA有它(我也使用它)。 I saw other implementation (in Ruby and so on). 我看到了其他实现(在Ruby等等)。 So, you can find an choose something which works with your stack. 所以,你可以找到一个适合你的堆栈的东西。
3) You need to renew identity certificate before it expeires (the same way as for any other certificates). 3)您需要在消费之前更新身份证明(与任何其他证书相同)。
4) If your profile doesn't work, I would recommend you to create the same profile in iPhone Configuration Utility and compare with yours. 4)如果您的个人资料不起作用,我建议您在iPhone配置实用程序中创建相同的个人资料并与您的个人资料进行比较。 Most of the time, you missed just one tag or something like that (it will take a lot to figure it out without comparing it with working one). 大多数情况下,你只错过了一个标签或类似的东西(如果不将它与工作标记进行比较,需要花费很多时间)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.