What's the role of the password in Certificates.p12 file for iOS push notification - ios

For implementing push services for iOS Apps , we need to export push certificates from Keychain access as Certificates.p12 file and upload that to APN server. While exporting it asks for a password. What is the difference between a Certificate.p12 file exported with password and a blank password ? The cloud services like parse.com which supports push messages does not accept a .p12 file exported with a password. When We are coding our own APN server, should we use a .p12 file exported with password or without password ? For me, with a p12 file exported without password, I get "UnrecoverableKeyException: Get Key failed" error.
Thanks in advance for your help.

Answer is simple, Will explain with an example.
Consider your p12 file as a ATM Card (Debit/Credit card) and think if you don't have passwords for that, what happens if someone get your card ?
Same here, if you won't password protect that p12, anyone who have that p12 file can send push notifications (malicious) to your apps, using that p12 file.

The p12 file is an encrypted container for your X.509 Push Notification Certificate and it's corresponding Private Key. Because nobody should be able to use your certificate/private key for malicious purposes, it is strongly recommended that you protect your p12 file with a password. Else anybody who gets your p12 file will be able to communicate with Apple's Push Servers using your Developer Identity (which is defined by the certificate).

Related

iOS AWS SNS Create platform application fail with error "There was an error reading the selected certificate."

After downloading my certificate from the apple developer portal, I successfully create a p12 file but whenever I try to create a platform application on aws, enter the certificate password, I just keep getting the error below.
There was an error reading the selected certificate. Verify the
password and try again.
I have tried with short and no passwords but nothing seems to accept the password.
Any ideas?
I was able to make this work, by doing the following:
Delete all old keys related to previous attempts in your Keychain > login (macos)
Request a new certificate from Request Certificate from Authority. Make sure no keys are selected when you execute this function.
I chose a single word in lowercase for Common name.
Add certificate to Apple Developer Portal
Download the CSR
Double click on the CSR to import the keys into your Keychain.
Your private key should have a dropdown with the certificate listed. My previous attempts did not have this. Export the p12.
The p12 worked in AWS SNS when entering the password, the public and private keys were extracted from the p12.

Invalid certificate (CSR)

I generate .certSigningRequest file via Keychain Access (Keychain Access -> Certificate Assistant -> Request a Certificate From a Certificate Authority..., I fill in my mail and I save it to disk).
When I log into Apple developer account and try to generate Certificate with it I get message: "Invalid CSR - Invalid Certificate"
I did this number of times previously with my previous Mac but it is not working on my new system.
What am I doing wrong? I have followed exact steps https://help.apple.com/developer-account/#/devbfa00fef7
I think this is a Apple error. you just need to simply refresh the website again and again or need to use another browser.
Just forgot to input 'Common name' in Certificate Assistant form.
So, make sure you filled
User Email Address
Common Name
Saved on disk check

UIWebView access to an installed certificate (.p12 file)

I have an app that contains an UIWebView and I need to authenticate the user with the correct certificate.
Is it possible to get access to an imported/installed certificate in the keychain? I didn't find something that's similar to my problem.

Identity certificate - IOS MDM

I have few questions regarding Identity certificate in Profile Payload.
Forgive the ignorance, if some questions are basic.
1.) I found that, we can either use SCEP standard or PKCS12 certificate directly for device identification. SCEP is recommended, since private key will be known only to the device. So in case If I am going to implement SCEP server, do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?
2.) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?
3.) What if the identity certificate is expired?
As a basic version while playing around, I tried to add my own p12 certificate to the Payload without using SCEP.
I tried to add the base64 encoded p12 certificate in the identity payloadcontent key,as mentioned in some link reference. I got an error
The identity certificate for “Test MDM Profile” could not be found
while installing profile.
identity_payload['PayloadType'] = 'com.apple.security.pkcs12'
identity_payload['PayloadUUID'] = "RANDOM-UUID-STRING"
identity_payload['PayloadVersion'] = 1
identity_payload['PayloadContent'] = Base64.encode64(File.read "identity.p12")
identity_payload['Password'] = 'p12Secret'
When I checked 'Configuration Profile key reference', it was mentioned that I should send Binary representation of Payload in Data.
So I tried,
identity_payload['PayloadContent'] = ConvertToBinary(File.read "identity.p12")
I got,
The password for the certificate “IdentityCertificate” is incorrect
I am supplying valid password for exporting the p12 certificate.
What am I doing wrong?
Answering your question:
1) Do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?
Yes. You need some kind of mapping. You can do couple of ways:
Just store it in DB a mapping between certificate common name and device UDID.
Make CN contain UDID (I like this method, because it simplifies initial checks)
And as you pointed out you will need public key to encrypt payloads for this device.
2) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?
There are open source implementation of SCEP. As example jSCEP have it (I used it) and EJBCA have it (I used it too). I saw other implementation (in Ruby and so on). So, you can find an choose something which works with your stack.
3) You need to renew identity certificate before it expeires (the same way as for any other certificates).
4) If your profile doesn't work, I would recommend you to create the same profile in iPhone Configuration Utility and compare with yours. Most of the time, you missed just one tag or something like that (it will take a lot to figure it out without comparing it with working one).

APNS notifications not reaching devices enrolled in Apple MDM

Apple MDM is used.
It is MDM using APNs.
The topic of mobileconfig is the same as the thing of Subject of APSP-XXX.pem.
The character string of a device token and PushMagic reached the MDM server after the setup of mobileconfig.
I sent wording of a telegram for device tokens using APNs.
It is replacing by the character string of PushMagic.
Although {"mdm":"xxxxxxxxxxxxx-xxxx-xxxx-xxxx"} is sent via APNs from the MDM server, iPhone is not reached.
Why is it?
Follow MDM_Protocol pdf very carefully.
If you are following this link: http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning
Then verify few things.
remove the passphrase from customerPrivateKey.pem using this command
openssl rsa -in customerPrivateKey.pem -out PlainKey.pem
Then merge your APNS certificate (for example CustomerCompanyName.pem) downloaded from the portal https://identity.apple.com/pushcert/ using this command
cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem
Now this PlainCert.pem file can be used in your server as APNS/MDM certificate.
If still there is issue,please show here your device log.
the issue may be because two reasons:
key and pem both should be present.
password used should belong to the password use while creating pem
I made a python script that does the vendor signing part, so you don't have to use the softhinker java code.
https://github.com/grinich/mdmvendorsign

Resources