Identity certificate - IOS MDM

Question

I have few questions regarding Identity certificate in Profile Payload.

Forgive the ignorance, if some questions are basic.

1.) I found that, we can either use SCEP standard or PKCS12 certificate directly for device identification. SCEP is recommended, since private key will be known only to the device. So in case If I am going to implement SCEP server, do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?

2.) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?

3.) What if the identity certificate is expired?

As a basic version while playing around, I tried to add my own p12 certificate to the Payload without using SCEP.

I tried to add the base64 encoded p12 certificate in the identity payloadcontent key,as mentioned in some link reference. I got an error

The identity certificate for “Test MDM Profile” could not be found

while installing profile.

  identity_payload['PayloadType'] = 'com.apple.security.pkcs12'
  identity_payload['PayloadUUID'] = "RANDOM-UUID-STRING"
  identity_payload['PayloadVersion'] = 1
  identity_payload['PayloadContent'] = Base64.encode64(File.read "identity.p12")
  identity_payload['Password'] = 'p12Secret' 

When I checked 'Configuration Profile key reference' , it was mentioned that I should send Binary representation of Payload in Data. So I tried,

  identity_payload['PayloadContent'] = ConvertToBinary(File.read "identity.p12")

I got,

The password for the certificate “IdentityCertificate” is incorrect

I am supplying valid password for exporting the p12 certificate.

What am I doing wrong?

Answer 1

Answering your question:

1) Do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?

Yes. You need some kind of mapping. You can do couple of ways:

• Just store it in DB a mapping between certificate common name and device UDID.
• Make CN contain UDID (I like this method, because it simplifies initial checks)

And as you pointed out you will need public key to encrypt payloads for this device.

2) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?

There are open source implementation of SCEP. As example jSCEP have it (I used it) and EJBCA have it (I used it too). I saw other implementation (in Ruby and so on). So, you can find an choose something which works with your stack.

3) You need to renew identity certificate before it expeires (the same way as for any other certificates).

4) If your profile doesn't work, I would recommend you to create the same profile in iPhone Configuration Utility and compare with yours. Most of the time, you missed just one tag or something like that (it will take a lot to figure it out without comparing it with working one).