We are using scep for distributing device identity certificate.
And we are now planning to use SHA-2 family signing to replace SHA-1 which we are currently using for the certificate.
Now the question is that there are already many devices installed the SHA-1 certificate.
I would like to know that how will the existing certificate be effected?
Will users need to re-enroll their device again?
Or can we issue a update command(or something like that) and automatically replace the existing identity certificate?
Any help is appreciated.
Thanks in advance.
You'll have to re-enroll all the devices that are using the old certificate.
Recently, I renewed signing certificate for MDM enrollment profile for which I had to re-enroll the devices so that they use the profile with new signing certificate.
Related
I understand that in iOS app development, for team collaboration, the leaving developer should export the distribution certificate from his keychain app because only his Macbook has the private key used as code signing identity. (Please correct me if I am wrong here.)
My questions are:
1. Am I right that the distribution provisioning profile for app store & the provisioning profile for ad-hoc distribution using the same code signing identity?
2. Am I right that if we lost the contact of leaving developer who has distributed the app to Apple Store, I can just delete the distribution certificate & corresponding distribution provisioning profile in Apple Developer account , and create a new distribution certificate & profile on my Macbook so that I have the new signing identity in my keychain, I don't need the leaving developer to export his, because the distribution certificate & profile is only used to distribute the app to Apple store or do ad-hoc distribution? Is there any harmful consequence I missed if do so?
For question 1
Yes, distribution certificate is used for uploading app to apple store. And development for running on device or sending build.
For question 2
Yes, you can simply revoke his certificate. And create new one. That way your previous developer certificate are not required. Moreover, he wont be able to use them anymore and you can create new one and keep your certificate on apple developer account clean.
Hope it clears your doubt.
I am just about a week away of expiration of the Apple developer certificate. Accidentally I lost the CSR file which I used when I created the last certificate which I am currently using.
Could you please let me know what all issue I may face if I will go with another CSR for new certificate?
Note:
Without CSR, you will be able to work with existing certificate but once it expires, you must create new one and you can use/create new CSR if previous one is lost.
Updating your certificate will not impact on your distributed build on public environment (Apple App Store). But of-course it won't allow you to distribute your new build with invalid/expired certificate.
Here is an instruction from Apple Developer Documentation for Code Signing Identity, that says,
If you lose control of your Apple-issued signing identity, such as
your Developer ID or Mac App Distribution identity, report this to
Apple immediately. Apple will invalidate the old identity and help you
to replace it. While this seems like a bit of work, it is critical,
because anyone possessing your identity can distribute potentially
malicious or destructive code that looks like it came from you.
This may also help you.
No Code Signing Identities Found
Xcode detects when you’re missing a signing identity. Typically, this happens when you move from one Mac to another. Follow the steps in Creating the Team Provisioning Profile to create your signing identity and add it to the team provisioning profile. You’ll have the option of importing your signing identity from another Mac or resetting it. If you use a custom development provisioning profile that you manage yourself, it becomes invalid after revoking the development certificate. Read Editing Provisioning Profiles in Your Developer Account to regenerate it.
To avoid this problem, export your certificates as a developer profile file on the other Mac, and then import them on your new Mac, as described in Exporting and Importing Certificates and Profiles.
As per apple documentation .CSR is used in combination with your App ID, provisioning profile and entitlements. So, if one have both (App ID and provisioning profile) it will harmful to you.
.CSR explanation
My role is member in apple developer program.
I had been given distribution certificate and adhoc provisioning profile.
I released the app but later on certificate has been revoked.
I am wondering what would have caused this ?
As far as I know development certificates can be created and removed by a person who is having member role also which is me.
sometimes If xcode autocreates a certificate it might revoke the existing certificate and add the new one.
But in my case its not development certificate that have got revoked but distribution certificate that got revoked.
A person with member access can submit CSR for Distribution but can not either add new one or revoke existing one.so auto revocation of distribution certificate is not possible.
But I can see a new distribution certificate in the member center on the same day.
Which makes me think whether somebody revoked it manually and added the new one or xcode did it.
somebody with experience please clarify this.
Some One have login into xcode and run it after that so its revoke certificate automatically. remove login from xcode and set certificate manually in xcode.
I am creating iOS mobile config profile and i am pushing the mobile config profile via MDM. In my case i am not using SCEP server for profile management. Simply i create mobile config profile using "iPhone configuration utility" and use the same for mobile settings.
I have created self signed code signing certificate. Using my self signed code sign certificate i signed mobile config profiles as mentioned here. But for this i have to include my root certificate along with profile.
I want to obtain code signing certificate from a trusted vendor. What kind of code signing certificate i want to purchase. If i purchase Apple code signing certificate, will this help to sign mobile config profiles. Refer
Several notes:
In my case i am not using SCEP server for profile management.
SCEP server isn't used for profile management. It's used for identity management. You use either SCEP server or PKCS12 at whenever your need authenticate a device (as example for WiFi, VPN auth or for MDM bootstraping explained here - http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html)
I want to obtain code signing certificate from a trusted vendor. What
kind of code signing certificate i want to purchase. If i purchase
Apple code signing certificate, will this help to sign mobile config
profiles.
As I remember you need any SSL certificate. Quite often you both protect communication with your MDM server using it and sign all profiles using it. So, there are no additional requirements for it (on top of usual requirements for SSL certificate).
Surely, you need to check whether certificate of authority which issues this certificate is preinstalled on iOS devices.
Take a look here: http://support.apple.com/kb/ht5012
I was trying to develop a MDM solution for iOS and I would like to test MDM with both methods of distributing device identity via PKCS12 and SCEP. Currently I am doing it using PKCS12, so here is what I am doing:
Send a Profile Service profile to the device asking its device id, IMEI, Version etc.
Device responds with the requested attribute - signed using the Apple Provided Certificate.
I now issue a PKCS12 certificate to the device using the credentials payload.
Device responds again with its attributes - this time signed using the above certificate.
I deliver an MDM payload setting the IdentityCertificateUUID to the payload UUID of the certificate issued in step 3.
I get profile could not be installed. Upon examining the logs, I found out the error The identity certificate for mdm profile com.mdm.xyz could not be found.
If at Step 5, I issue the MDM profile with a new certificaate included in the payload everything works. I am not sure if this is the right way to issue another certificate. I was thinking to utilize the same certificate issued at Step 3.
I think I am doing something wrong here and this may not be the correct way. Any help would be much appreciated. Thanks.
You can pass in step 5 the same certificate that you use in step 3. In such case MDM profile is installed successfully.