We have a BlackBerry app that access a secure web service that uses a SSL Certificate that is not installed on some BlackBerry OS5 devices. This is causing problems for users of our apps who see this message.
"You are attempting to open a secure connection, but the server's certificate is not trusted."
We can install the cert manually by this method
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO4477&actp=search&viewlocale=en_US&searchid=1328216150785
but this is obviously not a good solution for our customers.
Is there a way to package & install the required cert with the app? This cert works fine with iOS, Android, IE, Firefox & Chrome.
You can include the cert X509 in the code bundle as a resource and put it in the key store. But the user will have to manually go into their certificate store and trust it. If the user has not previously used the certificate store this will have the unfortunate side effect of forcing them to pick a password at that point.
The following code will read a certificate from a resource file in PEM format but with the -----BEGIN/END CERTIFICATE----- lines removed. I have used all the elements of this code, but not in this exact configuration. If there are any problems with it I would be happy to try to sort them out.
The certificate won't be trusted so the user will have to manually go into the certificate store application under device Options and "Trust" the certificate. Make sure they understand that they can not revoke the certfificate. That operation can not be undone on the device without wiping and re-installing the OS. The only other option is to re-issue a new certificate.
If anyone knows how to get arround these finiky bits let me know and I will include the solution in this code, or link to wherever it exists now.
X509Certificate _x509;
try {
// Get an input stream for the certificate in a resource file
InputStream rs = getClass().getResourceAsStream("/certificate.pem");
// PEM format is Base64 encoded
Base64InputStream b64is = new Base64InputStream(rs);
// Create the X509 certificate
_x509 = new X509Certificate(b64is);
// Clean up.
b64is.close();
rs.close();
// if the certificate is self signed this will perform a
// verfication check. For non-self signed certificates
// one could provide the signer's certificate in another
// resource file and validate it with that public key. Other
// versions of verify will verify it with a certificate in
// a keystore, but then we wouldn't need to do all this.
_x509.verify(_x509.getPublicKey());
System.out.println(_x509.getSubjectFriendlyName());
System.out.println(Integer.toHexString(_x509.hashCode()));
// Add the certificate to the DeviceKeyStore
KeyStore ks = DeviceKeyStore.getInstance();
// Associated data is set to null, but can be used if there is associated
// data known. You can use _x509.getStatus() instead of encoding the GOOD
// constant, but if the device can not find a revokation or validation list
// it will set the status to UNKNOWN which will confuse users. ks.getTicket()
// will prompt the user for permission for the program to access the key store.
// This may also cause the system to ask the user to set a password, unfortunately
// I can't remember, but I don't think it will if there is no private key in the
// certificate.
ks.set(null, _x509.getSubjectFriendlyName(), _x509, CertificateStatus.GOOD,
ks.getTicket() );
} catch (CertificateException ce) {
System.out.println(ce.toString());
} catch (CryptoException crypt) {
System.out.println(crypt);
} catch (IOException ioe) {
System.out.println(ioe.toString());
}
Related
After downloading my certificate from the apple developer portal, I successfully create a p12 file but whenever I try to create a platform application on aws, enter the certificate password, I just keep getting the error below.
There was an error reading the selected certificate. Verify the
password and try again.
I have tried with short and no passwords but nothing seems to accept the password.
Any ideas?
I was able to make this work, by doing the following:
Delete all old keys related to previous attempts in your Keychain > login (macos)
Request a new certificate from Request Certificate from Authority. Make sure no keys are selected when you execute this function.
I chose a single word in lowercase for Common name.
Add certificate to Apple Developer Portal
Download the CSR
Double click on the CSR to import the keys into your Keychain.
Your private key should have a dropdown with the certificate listed. My previous attempts did not have this. Export the p12.
The p12 worked in AWS SNS when entering the password, the public and private keys were extracted from the p12.
I generate .certSigningRequest file via Keychain Access (Keychain Access -> Certificate Assistant -> Request a Certificate From a Certificate Authority..., I fill in my mail and I save it to disk).
When I log into Apple developer account and try to generate Certificate with it I get message: "Invalid CSR - Invalid Certificate"
I did this number of times previously with my previous Mac but it is not working on my new system.
What am I doing wrong? I have followed exact steps https://help.apple.com/developer-account/#/devbfa00fef7
I think this is a Apple error. you just need to simply refresh the website again and again or need to use another browser.
Just forgot to input 'Common name' in Certificate Assistant form.
So, make sure you filled
User Email Address
Common Name
Saved on disk check
I have few questions regarding Identity certificate in Profile Payload.
Forgive the ignorance, if some questions are basic.
1.) I found that, we can either use SCEP standard or PKCS12 certificate directly for device identification. SCEP is recommended, since private key will be known only to the device. So in case If I am going to implement SCEP server, do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?
2.) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?
3.) What if the identity certificate is expired?
As a basic version while playing around, I tried to add my own p12 certificate to the Payload without using SCEP.
I tried to add the base64 encoded p12 certificate in the identity payloadcontent key,as mentioned in some link reference. I got an error
The identity certificate for “Test MDM Profile” could not be found
while installing profile.
identity_payload['PayloadType'] = 'com.apple.security.pkcs12'
identity_payload['PayloadUUID'] = "RANDOM-UUID-STRING"
identity_payload['PayloadVersion'] = 1
identity_payload['PayloadContent'] = Base64.encode64(File.read "identity.p12")
identity_payload['Password'] = 'p12Secret'
When I checked 'Configuration Profile key reference', it was mentioned that I should send Binary representation of Payload in Data.
So I tried,
identity_payload['PayloadContent'] = ConvertToBinary(File.read "identity.p12")
I got,
The password for the certificate “IdentityCertificate” is incorrect
I am supplying valid password for exporting the p12 certificate.
What am I doing wrong?
Answering your question:
1) Do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?
Yes. You need some kind of mapping. You can do couple of ways:
Just store it in DB a mapping between certificate common name and device UDID.
Make CN contain UDID (I like this method, because it simplifies initial checks)
And as you pointed out you will need public key to encrypt payloads for this device.
2) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?
There are open source implementation of SCEP. As example jSCEP have it (I used it) and EJBCA have it (I used it too). I saw other implementation (in Ruby and so on). So, you can find an choose something which works with your stack.
3) You need to renew identity certificate before it expeires (the same way as for any other certificates).
4) If your profile doesn't work, I would recommend you to create the same profile in iPhone Configuration Utility and compare with yours. Most of the time, you missed just one tag or something like that (it will take a lot to figure it out without comparing it with working one).
I'm configuring stuff on the provisioning portal for a new app which will use APNS.
When I went to configure the App Id for pushes the web site popped up a dialog saying I had to use Keychain Access and request a certificate from a CA.
However this is a step I've already been through with a previous app, therefore is there any need to do so again? If there's no need, is it still a good idea, and if so why?
If there's no need to generate a CSR again, then I no longer have the CSR file from previously, so is there anyway to recover it?
Certificates belong to hostnames.
If the hostname is the same, yes you can.
If it is a subdomain, and the certificate is a wildcard, yes you can.
If the hostname is different, you can generate a new csr and apply for your new certificate.
I am working on an Apple MDM server, and actually it is working fine. I have a signature problem, that makes the client complain about the certificate, so now I am interested in how others sign their configuration profiles.
I use java, but any kind of help is welcome, since this is not a particular question on how to implement the code in java, but more on how to correctly sign the configuration profile.
This is how we do it currently:
byte[] data = ...
X509Certificate cert = ...
KeyPair keyPair = ...
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
gen.addSigner(keyPair.getPrivate(), cert, CMSSignedGenerator.DIGEST_SHA1, new AttributeTable(new Hashtable<DERObjectIdentifier, Attribute>()), null);
CMSSignedData signedData = gen.generate(new CMSProcessableByteArray(data), true, "BC");
response.setContentType("application/x-apple-aspen-config");
response.getOutputStream().write(signedData.getEncoded());
We are using a self signed certificate created with the algorithm SHA1withRSA and the key is with RSA and the size is 2048.
Does anyone see a problem with this way of doing it, or are you just doing it differently which maes it work?
And please feel free to post code in other languages than java - it might still help.
I did two things to fix this.
First I changed the certificate to x509 v3 - it was v1. Then I added KeyUsage and BasicConstraints to make iOS accept it as trusted.
The second I did was to add the certificate itself as a CertStore.
These two steps makes the certificate similar to the certificate iPhone Configuration Utility uses.