将pkcs12插入mobileconfig文件

Question

How do I insert a .p12 file in a .mobileconfig file ?

Apple configuration utility currently performs some unknown transformation/encoding on the .p12 file while inserting it in .mobileconfig (It is just an XML file).

I want to create this .mobileconfig file without using the Apple iPhone configuration utility by directly creating an XML file.

Thanks

Answer 1

One way to accomplish this is base64 encoding the PKCS#12 file. This, for instance, works with PHP

openssl_pkcs12_export( $strCertPEM, $strCertPkcs12, $resKey, $strCertPW );    
$arrCertBase64 = str_split( base64_encode($strCertPkcs12), 52);
$xmlUserCertPlist = plistVar('PayloadContent',$arrCertBase64,'data');

function plistVar($key,$var,$type)
{
  //...snip...
  if ( $type == 'data' ) return plistData($key,$var);
  //...snip...
}

function plistData($key,$arr)
{
  //...snip...
  $xml = "<key>". $key ."</key>\n";
  $xml .= "<data>\n";
  foreach ($arr as $val) { $xml .= $val."\n"; }
  $xml .= "</data>\n";
  return $xml;
}

Answer 2

If you want to insert the .p12 file inside the iphone configuration file you just have to select the credential tab on the iphone configuration utility of the selected configuration file. When you it will to attach on the .mobileConfig File.

I have configuration file created using iphone configuration utility.Following will get changed when you attached the .p12 file into your configuration file.

The following dictionary will get attached to the xml file after the creation of the .mobileconfig file

Password password_value PayloadCertificateFileName certificate_name.p12 PayloadContent //converted data from the certificate

        </data>
        <key>PayloadDescription</key>
        <string>Provides device authentication (certificate or identity).</string>
        <key>PayloadDisplayName</key>
        <string>Certificate_name.p12</string>
        <key>PayloadIdentifier</key>
        <string>company.Identifier</string>
        <key>PayloadOrganization</key>
        <string>Company name</string>
        <key>PayloadType</key>
        <string>com.apple.security.pkcs12</string>
        <key>PayloadUUID</key>
        <string>UUId of the device</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>

Answer 3

In addition to steps mentioned by Anil, read binary data from pkcs12 certificate and then encode it using base64 encoding. You can put that data in the xml mentioned by Anil.

<data>base64 encoded data
</data>

Answer 4

I happen to be working through this right now in my current position, deploying scripts to generate n.mobileconfig files for Mac OS workstations.

It helps to reference the official Apple documentation on 802.1X Authentcation , as they do provide an XML template and notes about it. Also, referenced in many other places is mactls.sh . I used that template to generate my mobileconfigs.

To get the base64 content of the pkcs12 file, cat the existing pkcs12 file into openssl:

B64PK12=$(cat ${PK12} | openssl enc -base64);

Use that variable to interpolate into your XML, provided you are using templates for your mobileconfig files.

I was including both RADIUS CA and the decrypted PKCS12 file contents initially, with only the CA being imported, despite it not being base64 encoded. After base64 encoding both the CA and the pkcs12 contents, both were then added to the specified Keychain.

Hope this helps.

Answer 5

You can use an apple script for creating a mobileconfig with the p12 inside. I've been able to do it and it works great. I'm afraid I can't share the code, but I can say it works.