当前位置: 文江博客 话题详情

Apple MDM 供应商 CSR 签名

发布于 2024-12-21 06:14:13 字数 1075 浏览 2 评论 0 原文

将 plist 上传到 https://identity.apple 时,我遇到了“证书签名请求无效” .com/pushcert/ ,以下是我生成plist的步骤:

  1. 作为供应商,使用MacBook的KeyChain Access创建供应商CSR上传到会员中心生成MDM签名证书,并从KeyChain导出私钥以 p12 格式访问,例如,vendor.p12
  2. 使用 Openssl 创建客户 CSR:
    - openssl genrsa -des3 -out customerPrivateKey.pem 2048
    - openssl req -new -key customerPrivateKey.pem -out customer.csr
  3. 作为供应商,从配置门户下载 MDM 签名证书、WWDR 中间证书,并从 http://www.apple.com/appleca/AppleIncRootCertificate.cer,然后使用下面的命令将这三个证书一一转换为PEM格式,程序将作为PushCertCertificateChain读取:
    - openssl x509 -inform der -in AppleWWDRCA.cer -out chain.pem
  4. 作为供应商,按照移动设备管理协议参考中的示例 java 代码,我使用私有密钥对 customer.csr 进行签名从vendor.p12中提取的密钥
  5. 使用Safari将生成的plist上传到https://identity.apple.com/pushcert/ 使用客户 Apple ID

上述步骤有什么问题吗?请指教。多谢!

原文

I hit 'Invalid Certificate Signing Request' when uploading plist to https://identity.apple.com/pushcert/ , and below are steps I used to generate plist :

  1. As a vendor, create vendor CSR using KeyChain Access of the MacBook to upload to member centre to generate MDM signing certificate, and export private key from KeyChain Access in p12 format, say vendor.p12
  2. Create customer CSR, using Openssl :
    - openssl genrsa -des3 -out customerPrivateKey.pem 2048

    - openssl req -new -key customerPrivateKey.pem -out customer.csr
  3. As a vendor, download MDM signing certificate, WWDR intermediate certificate from provisioning portal, and download Apple root certificate from http://www.apple.com/appleca/AppleIncRootCertificate.cer, then use below command to convert these three certs to PEM format one by one which will be read by program as the PushCertCertificateChain :

    - openssl x509 -inform der -in AppleWWDRCA.cer -out chain.pem
  4. As a vendor, following sample java code in Mobile Device Management Protocol Reference, I sign the customer.csr with the private key extracted from vendor.p12
  5. Using Safari to upload generated plist to https://identity.apple.com/pushcert/ with customer Apple ID

Is there anything wrong with above steps? Please advise. Thanks a lot!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

只为守护你 2024-12-28 06:14:13

请参阅此处的详细步骤和源代码来生成plist。

Please see detailed steps and source code here to generate plist.

回复 原文
感情洁癖 2024-12-28 06:14:13

我制作了一个 python 脚本来执行供应商签名部分,因此您不必使用 java 代码。

https://github.com/grinich/mdmvendorsign

I made a python script that does the vendor signing part, so you don't have to use the java code.

https://github.com/grinich/mdmvendorsign

回复 原文
孤独难免 2024-12-28 06:14:13

在关注页面时 http://www.softhinker.com/in-the-news/ iosmdmvendorcsrsigning,作为供应商
作为供应商,

  • 使用任何工具包(即 MacBook 上的 KeyChain Access)创建 CSR,然后
    将私钥导出为“vendor.p12”
  • 登录 Apple 会员中心,进入“iOS 配置门户”,
  • 选择左侧导航栏上的“证书”,然后单击中心的“其他”选项卡。
  • 按照该页面上的说明操作,然后上传您创建的 CSR。
  • 那么您作为 MDM 供应商的证书将可以在“其他”选项卡上下载。并下载它。
  • 下载 WWDR 中级证书。
  • 下载苹果根证书。

  • 执行以下openssl命令将MDM供应商证书、WWDR证书和Apple根证书一一转换为PEM格式:

    openssl x509 -inform der -in mdm_identity.cer -out mdm.pem

    openssl x509 -inform der -in AppleWWDRCA.cer -out middle.pem

    openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem

然后使用 http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning 生成编码的 plist。
现在,首先验证生成的 plist.xml 格式,该格式应与 MDM 协议参考文档中提供的示例 plist.xml 匹配。

如果 plist.xml 的格式适当,则将encoded_plist上传到 https://identity.apple.com/pushcert/
所以我们需要注意plist.xml仅供我们参考,不适用于上传。仅用于上传encoded_plist。

  • 请记住将包中的占位符替换为您自己的占位符,因为 java 包中提供的只是示例一个(零大小):

    customer.der、vendor.p12、mdm.pem、intermediate.pem、root.pem

如果我们正在进行客户活动来为 MDM 服务器生成 MDM 证书)

作为客户,

  • 使用任何内容创建 CSR工具包,即 openssl :

    openssl genrsa -des3 -out customerPrivateKey.pem 2048

    openssl req -new -key customerPrivateKey.pem -out customer.csr

  • 将 customer.csr 转换为 der 格式:

    openssl req -inform pem -outform der -in customer.csr -out customer.der

我们需要验证一些事情。

1) 使用此命令从 customerPrivateKey.pem 中删除密码

openssl rsa -in customerPrivateKey.pem -out PlainKey.pem

2) 然后合并从门户下载的 APNS 证书(例如 CustomerCompanyName.pem)https://identity.apple.com/pushcert/ 使用此命令

cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem

现在,此 PlainCert.pem 文件可以在您的服务器中用作 APNS/MDM 证书如示例 MDM 服务器的 MDM_Protocol pdf 中所述。

while following the page http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning, as a vendor
As a vendor,

  • create a CSR using any toolkit, i.e. KeyChain Access on MacBook, then
    export private key as 'vendor.p12'
  • log in to Apple Member Center, and go to 'iOS Provisioning Portal'
  • select 'Certificates' on the left navigation bar, and click 'Other' tab on the center.
  • follow the instruction on that page, and upload the CSR you created.
  • then the certificate for you as a MDM vendor will be available to download on the 'Other' tab. And download it.
  • download WWDR intermediate certificate.
  • download Apple root certificate.

  • execute below openssl command to convert MDM vendor certificate, WWDR certificate, and Apple root certificate to PEM format one by one :

    openssl x509 -inform der -in mdm_identity.cer -out mdm.pem

    openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem

    openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem

Then use the attached Java program in the http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning to generate encoded plist.
Now first verify the generated plist.xml format that should match with the sample plist.xml provided in MDM Protocol Reference document.

If plist.xml is in appropriate format then upload the encoded_plist to https://identity.apple.com/pushcert/ .
So we need to take care that plist.xml is just for our reference this is not for upload.For upload encoded_plist only.

  • remember to replace the placeholder in the package with your own ones because the provided on the java package is just sample one(zero size):

    customer.der, vendor.p12, mdm.pem, intermediate.pem, root.pem

if we are doing Customer activity to generate MDM certificate for MDM Server

As a customer,

  • create a CSR using any toolkit, i.e. openssl :

    openssl genrsa -des3 -out customerPrivateKey.pem 2048

    openssl req -new -key customerPrivateKey.pem -out customer.csr

  • convert customer.csr to der format :

    openssl req -inform pem -outform der -in customer.csr -out customer.der

then we need to verify few things.

1)remove the passphrase from customerPrivateKey.pem using this command

openssl rsa -in customerPrivateKey.pem -out PlainKey.pem

2)Then merge your APNS certificate (for example CustomerCompanyName.pem) downloaded from the portal https://identity.apple.com/pushcert/ using this command

cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem

Now this PlainCert.pem file can be used in your server as APNS/MDM certificate as mentioned in MDM_Protocol pdf for sample MDM Server.

回复 原文
久隐师 2024-12-28 06:14:13

请参阅下面我关于 Apple 供应商 MDM CSR 签名的注释。有些命令可能依赖于 Linux 和 Linux 标准工具,但移植到其他平台应该是微不足道的。

准备所需证书

Apple Root

wget https://www.apple.com/appleca/AppleIncRootCertificate.cer
openssl x509 -inform DER -outform PEM -in AppleIncRootCertificate.der -out AppleIncRootCertificate.pem
openssl x509 -fingerprint -sha256 -noout -in AppleIncRootCertificate.pem
# SHA256 Fingerprint=B0:B1:73:0E:CB:C7:FF:45:05:14:2C:49:F1:29:5E:6E:DA:6B:CA:ED:7E:2C:68:C5:BE:91:B5:A1:10:01:F0:24
openssl x509 -fingerprint -noout -in AppleIncRootCertificate.pem
# SHA1 Fingerprint=61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60

Apple WWDR

wget https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
openssl x509 -inform DER -outform PEM -in AppleWWDRCA.der -out AppleWWDRCA.pem
openssl verify -verbose -CAfile AppleIncRootCertificate.pem AppleWWDRCA.pem

供应商 MDM CSR

openssl genrsa -out apple-mdm-csr.key 2048
openssl req -new -key apple-mdm-csr.key -subj '/CN=MDM' -out apple-mdm-csr.csr
# GET apple-mdm-csr.der ('https://developer.apple.com/' -> 'Account' -> 'Certificates, IDs & Profiles')
openssl x509 -inform DER -outform PEM -in apple-mdm-csr.cer -out apple-mdm-csr.pem
openssl verify -verbose -CAfile AppleIncRootCertificate.pem -untrusted AppleWWDRCA.pem apple-mdm-csr.pem

客户 C​​SR(为客户本地生成)

#openssl genrsa -out customer.key 2048
#openssl req -new -key customer.key -subj '/CN=MDM' -out customer.csr

签署客户 CSR

openssl req -inform PEM -outform DER -in customer.csr -out customer.csr.der
openssl sha1 -sign apple-mdm-csr.key -out customer.csr.der.sig customer.csr.der

...为 Apple 做准备

base64 -w0 customer.csr.der >customer.csr.der.b64
base64 -w0 customer.csr.der.sig >customer.csr.der.sig.b64

cat <<EOF >customer.plist
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>PushCertCertificateChain</key>
        <string>
            $(<apple-mdm-csr.pem)
            $(<AppleWWDRCA.pem)
            $(<AppleIncRootCertificate.pem)
        </string>
        <key>PushCertRequestCSR</key>
        <string>
            $(<customer.csr.der.b64)
        </string>
        <key>PushCertSignature</key>
        <string>
            $(<customer.csr.sig.b64)
        </string>
    </dict>
    </plist>
EOF

base64 -w0 customer.plist >customer.plist.b64

摘要(全部合而为一)

bash -e -c '
# Take CSR from STDIN and output base64 encoded plist for Apple
APPLE_MDM_CSR_CRT="apple-mdm-csr.pem"
APPLE_MDM_CSR_KEY="apple-mdm-csr.key"
APPLE_INTERMEDIATE_CRT="AppleWWDRCA.pem"
APPLE_ROOT_CRT="AppleIncRootCertificate.pem"
CUSTOMER_CSR_DER="/proc/self/fd/3"

TMP="$(mktemp -p /run)"
exec 3<> "$TMP"
rm -f "$TMP"

openssl req -inform PEM -outform DER -out "$CUSTOMER_CSR_DER"

base64 -w0 <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PushCertCertificateChain</key>
<string>
$(<$APPLE_MDM_CSR_CRT)
$(<$APPLE_INTERMEDIATE_CRT)
$(<$APPLE_ROOT_CRT)
</string>
<key>PushCertRequestCSR</key>
<string>$(base64 -w0 "$CUSTOMER_CSR_DER")</string>
<key>PushCertSignature</key>
<string>$(openssl sha1 -sign "$APPLE_MDM_CSR_KEY" "$CUSTOMER_CSR_DER" | base64 -w0)</string>
</dict>
</plist>
EOF

exec 3>&-'

Please see my notes on Apple vendor MDM CSR signing below. Some commands may depend on linux and linux standard tools, but porting to other platforms should be trivial.

Prepare required certificates

Apple Root

wget https://www.apple.com/appleca/AppleIncRootCertificate.cer
openssl x509 -inform DER -outform PEM -in AppleIncRootCertificate.der -out AppleIncRootCertificate.pem
openssl x509 -fingerprint -sha256 -noout -in AppleIncRootCertificate.pem
# SHA256 Fingerprint=B0:B1:73:0E:CB:C7:FF:45:05:14:2C:49:F1:29:5E:6E:DA:6B:CA:ED:7E:2C:68:C5:BE:91:B5:A1:10:01:F0:24
openssl x509 -fingerprint -noout -in AppleIncRootCertificate.pem
# SHA1 Fingerprint=61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60

Apple WWDR

wget https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
openssl x509 -inform DER -outform PEM -in AppleWWDRCA.der -out AppleWWDRCA.pem
openssl verify -verbose -CAfile AppleIncRootCertificate.pem AppleWWDRCA.pem

Vendor MDM CSR

openssl genrsa -out apple-mdm-csr.key 2048
openssl req -new -key apple-mdm-csr.key -subj '/CN=MDM' -out apple-mdm-csr.csr
# GET apple-mdm-csr.der ('https://developer.apple.com/' -> 'Account' -> 'Certificates, IDs & Profiles')
openssl x509 -inform DER -outform PEM -in apple-mdm-csr.cer -out apple-mdm-csr.pem
openssl verify -verbose -CAfile AppleIncRootCertificate.pem -untrusted AppleWWDRCA.pem apple-mdm-csr.pem

Customer CSR (generated on premise for customer)

#openssl genrsa -out customer.key 2048
#openssl req -new -key customer.key -subj '/CN=MDM' -out customer.csr

Sign Customer CSR

openssl req -inform PEM -outform DER -in customer.csr -out customer.csr.der
openssl sha1 -sign apple-mdm-csr.key -out customer.csr.der.sig customer.csr.der

... prepare for Apple

base64 -w0 customer.csr.der >customer.csr.der.b64
base64 -w0 customer.csr.der.sig >customer.csr.der.sig.b64

cat <<EOF >customer.plist
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>PushCertCertificateChain</key>
        <string>
            $(<apple-mdm-csr.pem)
            $(<AppleWWDRCA.pem)
            $(<AppleIncRootCertificate.pem)
        </string>
        <key>PushCertRequestCSR</key>
        <string>
            $(<customer.csr.der.b64)
        </string>
        <key>PushCertSignature</key>
        <string>
            $(<customer.csr.sig.b64)
        </string>
    </dict>
    </plist>
EOF

base64 -w0 customer.plist >customer.plist.b64

Summary (all in one)

bash -e -c '
# Take CSR from STDIN and output base64 encoded plist for Apple
APPLE_MDM_CSR_CRT="apple-mdm-csr.pem"
APPLE_MDM_CSR_KEY="apple-mdm-csr.key"
APPLE_INTERMEDIATE_CRT="AppleWWDRCA.pem"
APPLE_ROOT_CRT="AppleIncRootCertificate.pem"
CUSTOMER_CSR_DER="/proc/self/fd/3"

TMP="$(mktemp -p /run)"
exec 3<> "$TMP"
rm -f "$TMP"

openssl req -inform PEM -outform DER -out "$CUSTOMER_CSR_DER"

base64 -w0 <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PushCertCertificateChain</key>
<string>
$(<$APPLE_MDM_CSR_CRT)
$(<$APPLE_INTERMEDIATE_CRT)
$(<$APPLE_ROOT_CRT)
</string>
<key>PushCertRequestCSR</key>
<string>$(base64 -w0 "$CUSTOMER_CSR_DER")</string>
<key>PushCertSignature</key>
<string>$(openssl sha1 -sign "$APPLE_MDM_CSR_KEY" "$CUSTOMER_CSR_DER" | base64 -w0)</string>
</dict>
</plist>
EOF

exec 3>&-'
回复 原文
~没有更多了~

关于作者

吃颗糖壮壮胆

暂无简介

文章
评论
946 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Promise

文章 0 评论 0

qq_lbRlsh

文章 0 评论 0

待"谢繁草

文章 0 评论 0

yy2010hell

文章 0 评论 0

漫无边际

文章 0 评论 0

傲娇萝莉攻

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文