I am trying to follow the instructions for creating DEP Server Tokens in Apple's Device Enrollment Program manual ( https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/4-Profile_Management/ProfileManagement.html ) , but I don't really know how to "Generate a public/private key pair in PEM format for the MDM server"
I have a certificate from a trusted certificate authority, but how do I create the certificates from that ?
The idea of a certificate for DEP is that Apple don't want to provide you the DEP token over SSL (unlike VPP token).
To retrieve that, they ask that you provide a PEM formatted public key via their portal (this is basically any openssl self-signed cert, like so:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
when uploading, use cert.pem file)
Then, when they return the result, use the private key to decrypt the CMS (PKCS7 Envelope):
openssl smime -decrypt -inform pem -in fileFromApple.p7 -inkey key.pem
Note that we use file from Apple and the key that we generated in the first command.
Note: it has been over a year since i've done this in practice, but in principal these commands should work.
Related
I was trying to figure out what I did wrong when uploading a new custom certificate to my rails application, and for whatever reason I thought it would be a good idea to rerun this command into my digitalocean #deploy user, even though I had already done this command and did all the steps for generating an ssl key with namecheap.com, and got PositiveSSL Certificate. Now, the private key does not match up with my positivessl certificate, and I cannot find the old privatekey anywhere. Does anyone have any suggestions on what I should do about this?
openssl req -new -newkey rsa:2048 -nodes -keyout myapp.net.key -out myapp.net.csr
If you lost your private key, you need to reissue the SSL Certificate.
The process is free in most Comodo (Sectigo) resellers like namecheap.
Just follow instructions on https://www.namecheap.com/support/knowledgebase/article.aspx/811/70/how-do-i-reissue-my-ssl-certificate
I am trying to create a FPS (Fair play streaming)certificate but I am getting this error when I upload CSR file which I create by keychain access of mac system
These are some screenshots of creating CSR file using keychain access.
I am not able to understand what is the solution of this error ?
Use the instructions you have received in <FPS_Credential_Creation_Guide.pdf> as part of the Deployment package to generate certificate signed request (CSR). Then upload this file as CSR file.
OpenSSL
Apple provides the OpenSSL application on macOS. Use openssl from the command line to generate the public/private key pair, certificate signed request (CSR).
Generate key pair
openssl genrsa -aes256 -out privatekey.pem 1024
Generate CSR
openssl req -new -sha1 -key privatekey.pem -out certreq.csr \
-subj "/CN=SubjectName/OU=OrganizationalUnit/O=Organization/C=US"
In you screenshots you are choosing 2048 RSA, but the error message states 1024 RSA is expected. Did you try generating a key using 1024?
As the error message indicates, the Certificate Signing Request requires the RSA-2048 algorithm. As an alternative, you can use openSSL to generate the CSR via the following steps:
Execute the following openSSL command to create a private key:
openssl genrsa -out privateKey.key 2048
Execute the following openSSL command to generate a certificate signing request (CSR) from the private key:
openssl req -new -key privateKey.key -out certificateSigningRequest.csr
I have an IIS running that has a page, which has a link:
Plist
That links to:
[RequireHttps]
public ActionResult DownloadPlist()
{
return File(Url.Content("~/pathToPlist/file.plist"), "application/xml");
}
The link in the a href is utlimately:
itms-services://?action=download-manifest&url=https://myapp/test/downloadplist
I can take the last part https://myapp/test/downloadplist and access it in my browser, which presents me with the XML file. However when I try to install it using an iPad using the full itms link, it says:
Cannot connect to myapp
I have a self-signed certificate, created by IIS Manager and sent to my iPad through E-Mail. It can then be installed but it still says Not Trusted. I have a feeling that this is the problem but I am not 100% sure.
This is common problem if you create the certificate with IIS. The problem is that the machine name does not match the host name. This is also described in Section 3 of this article.
The best solution is to create your own CA. Then add the CA's certificate to the iOS device and sign your own certificate with your CA. See Section 5 of this article, copied below.
Create your own Certificate Authority (CA) root
certificate and then create certificates based on it.Instead of paying
a commercial CA to create SSL certificates on your behalf, you are
acting as your own CA. The advantage is that your custom CA
certificate only has to be installed once on each device. The devices
will then automatically trust any certificates you issue based on your
root CA certificate.
Creating the CA certificate
First create a private key file:
openssl genrsa -out myCA.key 2048 Then create the certificate: openssl req -x509 -new -key myCA.key -out myCA.cer -days 730 -subj /CN="My Custom CA"
The certificate file (myCA.cer) created above can be publicly shared and installed on iOS or other OS’s to act like
a built in trusted root CA.
The private key
file (myCA.key) is only used when creating new SSL certificates.You
can create as many certificates as you like based on this CA
certificate.
Create a CSR (Client Signing Request)
First you would create a private key:
openssl genrsa -out mycert1.key 2048 and then create the CSR: openssl req -new -out mycert1.req -key mycert1.key -subj /CN=www2.mysite.com
Then use the
CSR to create the certificate:
openssl x509 -req -in mycert1.req -out mycert1.cer -CAkey myCA.key -CA myCA.cer -days 365 -CAcreateserial -CAserial serial
The certificate created (mycert.cer) can be installed on a web server and
accessed from any iOS device that already has the CA certificate
installed.
I am using ruby 2.0.0, rails 3.2.6 and running my project in EC2 server.
Now I want to generate ssl certificate to my project.
Where I can find the certificate and how should I include into my project.Can anyone guide me?
Now I want to generate ssl certificate to my project.
I am presuming that you are talking about creating self-signed certificate. Follow these steps to generate a self -signed certificate:
Generate a Private key and CSR: openssl req -newkey rsa:2048 -nodes -keyout key.pem -out req.pem
Above command will create your private key key.pem and a CSR req.pem
Generate a self-signed Cert: openssl x509 -req -days 365 -in req.pem -signkey key.pem -out cert.pem
Above command will use key.pem and req.pem and will create certificate cert.pem.
You have to follow the prompts given by above commands and provide answers accordingly.
If you do not want a self-signed certificate, then you need to buy SSL certificate from a vendor. There are numerous companies which provide SSL certificate. You need to create a private key and a CSR (certificate signing request). you can follow 1st command above to achieve this. Once done, then you have to provide the CSR to the SSL vendor who will get you the certificate.
There are a lot of details around this process. Please check http://www.sslshopper.com/ for more information around SSL.
how should I include into my project
please check below links:
http://www.buildingwebapps.com/articles/79189-using-ssl-in-rails-applications
How to include SSL Certificate in Rails 3 project
I am working on an application where I will retrieve a public key for a user from our server. Once I have it, I need to do a RSA encryption using the public key. The public key obtained from the server is Base64 encoded.
How do I load the public key into the iOS KeyChain so that I can perform RSA cryptographic functions with it? Certificate loading seems to be trivial, but raw public keys don't.
This is not supported because it is the "wrong" way.
The "right" way is to use a certificate.
To quote "Quinn The Eskimo!".
This is surprisingly easy. You don't need to add the certificate to the keychain to handle this case. Rather, just load the certificate data (that is, the contents of a .cer file) in your application (you can either get this from your bundle or off the network) and then create a certificate ref using SecCertificateCreateWithData. From there you can extract a public key ref using a SecTrust object (SecTrustCreateWithCertificates, SecTrustEvaluate -- you can choose to ignore the resulting SecTrustResultType -- and SecTrustCopyPublicKey). And from there you can encrypt and verify using the SecKey APIs (SecKeyEncrypt, SecKeyRawVerify).
A tutorial on how to create a self-signed certificate is here.
The basic steps are:
#Make the -----RSA PRIVATE KEY----- file in PEM format
openssl genrsa -out privKey.pem 2048
#Make the -----CERTIFICATE REQUEST-----
openssl req -new -key privKey.pem -out certReq.pem
#Make the actual -----CERTIFICATE-----
openssl x509 -req -days 30 -in certReq.pem -signkey privKey.pem -out certificate.pem
#Make the DER certificate.crt file from the certificate.pem
openssl x509 -outform der -in certificate.pem -out certificate.cer
If you double click that .cer on a Mac machine, it will offer to import it into keychain.
Resources:
How to generate self signed certificates
Common SSL commands
The usual way of transporting a public key -is- inside a certificate, signed by some CA to prove that it is authentic.
Or maybe you are talking about a ssh public key?
in that case you would need a special ssh capable app to use it, these keys are usually not stored in the iOS keychain.
I found the necessary code on the Apple Site describing how to strip the ASN.1 header from the Public Key and load it into the KeyChain.