Sign an iPhone configuration profile with Server certificate

Question

I already found a thread with a similar topic but I wasn't able to solve my problem this way, so I hope I get help here.

I'm trying to sign a iPhone config profile with my servers SSL certificate on Mac OS X:

openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile ca.crt -outform der -nodetach

Unfortunately I get the following error

unable to load certificate

I'm don't know what I'm doing wrong - I use the following certs:

server.crt:

-----BEGIN CERTIFICATE-----
MIIHV.....
-----END CERTIFICATE-----

server.key:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC, .....

sHK1......
-----END RSA PRIVATE KEY-----

ca.crt: from http://www.startssl.com/certs/

All certificates are in the same folder 'iphone' I changed to with

ch /Volumes/Daten/.../iphone

So now I'm on

localhost:iphone Stefan$

Many thanks for your help in advance!

Regards Stefan

*"[sign iPhone config]... with my servers SSL certificate on Mac OS X"* - this may not work. I think it depends on the Key Usage, Extended Key Usage and perhaps a Policy OID. I don't think a server certificate used for server authentication will have the proper bits set. But then again, I've never seen the Key Usage/Extended Key Usage/Policy OID Apple uses for the purpose. — jww, Feb 21 '15 at 14:08
I got this information from [link]http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html and understood it like I wrote. Or was I wrong with this interpretation? — alve89, Feb 21 '15 at 14:18
I don't know if it will work (or not). I don't know if you are correct (or not). I do know a little bit about PKI, and a server certificate is an end entity certificate used for authentication. So it should not be able to sign other certificates or provisioning profiles. If its allowed, then its yet another Apple security bug. — jww, Feb 21 '15 at 14:21

score 3 · Answer 1 · answered Jul 22 '15 at 22:11

3

The answer is:

openssl smime -sign -signer cert.pem -inkey key.pem -certfile ca-bundle.pem -nodetach -outform der -in profile-uns.mobileconfig -out profile-sig.mobileconfig

with ca-bundle.pem is the cert chain of a CA.

answered Jul 22 '15 at 22:11

alve89

971
1
9
31

Nick Dong · Answer 2 · 2023-06-04T03:45:48.323

1

Let's imagine that you are using Let's Enrcypt, you might get certificate.pem, privatekey.pem, chain.pem, fullchain.pem.

-signer should be certificate.pem which is the certificate of the server.

-inkey should be private.key of the server.

-certfile should be fullchain.pem

The chain.pem is the certificate chain including CA ROOT without certificate.pem, while fullchain.pem including everything.

edited Jun 04 '23 at 03:45

answered Jun 04 '23 at 02:10

Nick Dong

3,638
8
47
84

Sign an iPhone configuration profile with Server certificate

2 Answers2