MDM Server证书用于与iPhone设备进行SSL握手
[英]MDM Server certificate to be used for SSL handshake with iPhone device
问题描述
I am trying to perform SSL Handshake between the iPhone device and my MDM Server. 
我正在尝试在iPhone设备和MDM服务器之间执行SSL握手。 I have used iPhone configuration Utility (iPCU) and configured SCEP and MDM. 我已使用iPhone配置实用程序(iPCU)并配置了SCEP和MDM。 SCEP works fine, the device receives the issued certificate from the CA. SCEP正常工作,设备从CA接收了已颁发的证书。
In the MDM Payload, I have used the subject of the APNS certificate in the topic and entered the server IP with port 1234. As an identity, I have used the identity of the SCEP Certificate. 在MDM有效负载中,我在主题中使用了APNS证书的主题,并使用端口1234输入了服务器IP。作为标识,我使用了SCEP证书的标识。
The iPhone generates the key and enrolls successfully, but then when it tries to install the profile by contacting the MDM server, I receive this error in the IPCU console: The server certificate for https://[IP here]:1234 is invalid iPhone生成密钥并成功注册,但是随后尝试通过与MDM服务器联系来安装配置文件时,我在IPCU控制台中收到此错误: https:// [此处为IP]:1234的服务器证书无效
In my MDM Server application which is programmed using C#.NET complains that AuthenticationException:the SSPI has failed because the context has expired and can no longer be used. 在我使用C#.NET编程的MDM Server应用程序中,抱怨AuthenticationException:SSPI失败,因为上下文已过期并且无法再使用。 So my question is, what certificate should I have on my MDM server - is it the MDM certificate received from the iOS Provision portal, the Apple push certificate of the customer or the certificate of the SCEP Server? 所以我的问题是,我应该在MDM服务器上拥有什么证书-是从iOS Provisioning门户收到的MDM证书,客户的Apple Push证书还是SCEP Server的证书?
If someone could answer this question, I would be really grateful as I Have spent hours and I can't figure it out. 如果有人可以回答这个问题,我将不胜感激,因为我已经花了几个小时而无法弄清楚。
1 个解决方案
解决方案1
4 已采纳 2012-06-05 22:28:53
When an iOS device is registering with your MDM service, it needs to know it is talking to the correct server. 当iOS设备向您的MDM服务注册时,它需要知道它正在与正确的服务器通信。 Your MDM server's SSL certificate helps it do this. 您的MDM服务器的SSL证书可以帮助您做到这一点。 This certificate is just like other web service certificates and will have as its CN (common name) the name used in the URL that the iOS device uses to enroll in your MDM service. 该证书与其他Web服务证书一样,并且将CN设备用于注册MDM服务的URL中使用的名称作为其CN(通用名称)。 For example, if the MDM enrollment URL is https://mymdmservice.mydomain.com the CN would be mymdmservice.mydomain.com . 例如,如果MDM注册URL为https://mymdmservice.mydomain.com则CN为mymdmservice.mydomain.com 。
The MDM service's certificate signing chain needs to be recognized by the mobile device. MDM服务的证书签名链需要由移动设备识别。 In particular, you could use any certificate issued by one of the usual registrars (eg, Verisign or Comodo). 特别是,您可以使用任何由通常的注册机构(例如Verisign或Comodo)发行的证书。
You can use a self-signed certificate, but you would have to add it to the device's trusted root certificate store (see http://fixmyitsystem.com/2012/01/install-corporate-pki-root-ca-on-ios.html ). 您可以使用自签名证书,但必须将其添加到设备的受信任的根证书存储中(请参阅http://fixmyitsystem.com/2012/01/install-corporate-pki-root-ca-on-ios .html )。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.