Apple MDM Vendor CSR Signing

Question

I hit 'Invalid Certificate Signing Request' when uploading plist to https://identity.apple.com/pushcert/ , and below are steps I used to generate plist :

1. As a vendor, create vendor CSR using KeyChain Access of the MacBook to upload to member centre to generate MDM signing certificate, and export private key from KeyChain Access in p12 format, say vendor.p12
2. Create customer CSR, using Openssl :
   - openssl genrsa -des3 -out customerPrivateKey.pem 2048
   - openssl req -new -key customerPrivateKey.pem -out customer.csr
3. As a vendor, download MDM signing certificate, WWDR intermediate certificate from provisioning portal, and download Apple root certificate from http://www.apple.com/appleca/AppleIncRootCertificate.cer, then use below command to convert these three certs to PEM format one by one which will be read by program as the PushCertCertificateChain :
   - openssl x509 -inform der -in AppleWWDRCA.cer -out chain.pem
4. As a vendor, following sample java code in Mobile Device Management Protocol Reference, I sign the customer.csr with the private key extracted from vendor.p12
5. Using Safari to upload generated plist to https://identity.apple.com/pushcert/ with customer Apple ID

Is there anything wrong with above steps? Please advise. Thanks a lot!

Answer 1

Please see detailed steps and source code here to generate plist.

Answer 2

I made a python script that does the vendor signing part, so you don't have to use the java code.

https://github.com/grinich/mdmvendorsign

Answer 3

while following the page http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning, as a vendor As a vendor,

• create a CSR using any toolkit, i.e. KeyChain Access on MacBook, then export private key as 'vendor.p12'
• log in to Apple Member Center, and go to 'iOS Provisioning Portal'
• select 'Certificates' on the left navigation bar, and click 'Other' tab on the center.
• follow the instruction on that page, and upload the CSR you created.
• then the certificate for you as a MDM vendor will be available to download on the 'Other' tab. And download it.
• download WWDR intermediate certificate.
• download Apple root certificate.

• execute below openssl command to convert MDM vendor certificate, WWDR certificate, and Apple root certificate to PEM format one by one :

  openssl x509 -inform der -in mdm_identity.cer -out mdm.pem

  openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem

  openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem

Then use the attached Java program in the http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning to generate encoded plist. Now first verify the generated plist.xml format that should match with the sample plist.xml provided in MDM Protocol Reference document.

If plist.xml is in appropriate format then upload the encoded_plist to https://identity.apple.com/pushcert/ . So we need to take care that plist.xml is just for our reference this is not for upload.For upload encoded_plist only.

• remember to replace the placeholder in the package with your own ones because the provided on the java package is just sample one(zero size):

  customer.der, vendor.p12, mdm.pem, intermediate.pem, root.pem

---

if we are doing Customer activity to generate MDM certificate for MDM Server

As a customer,

• create a CSR using any toolkit, i.e. openssl :

  openssl genrsa -des3 -out customerPrivateKey.pem 2048

  openssl req -new -key customerPrivateKey.pem -out customer.csr

• convert customer.csr to der format :

  openssl req -inform pem -outform der -in customer.csr -out customer.der

then we need to verify few things.

1)remove the passphrase from customerPrivateKey.pem using this command

openssl rsa -in customerPrivateKey.pem -out PlainKey.pem

2)Then merge your APNS certificate (for example CustomerCompanyName.pem) downloaded from the portal https://identity.apple.com/pushcert/ using this command

cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem

Now this PlainCert.pem file can be used in your server as APNS/MDM certificate as mentioned in MDM_Protocol pdf for sample MDM Server.

Answer 4

Please see my notes on Apple vendor MDM CSR signing below. Some commands may depend on linux and linux standard tools, but porting to other platforms should be trivial.

Prepare required certificates

Apple Root

wget https://www.apple.com/appleca/AppleIncRootCertificate.cer
openssl x509 -inform DER -outform PEM -in AppleIncRootCertificate.der -out AppleIncRootCertificate.pem
openssl x509 -fingerprint -sha256 -noout -in AppleIncRootCertificate.pem
# SHA256 Fingerprint=B0:B1:73:0E:CB:C7:FF:45:05:14:2C:49:F1:29:5E:6E:DA:6B:CA:ED:7E:2C:68:C5:BE:91:B5:A1:10:01:F0:24
openssl x509 -fingerprint -noout -in AppleIncRootCertificate.pem
# SHA1 Fingerprint=61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60

Apple WWDR

wget https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
openssl x509 -inform DER -outform PEM -in AppleWWDRCA.der -out AppleWWDRCA.pem
openssl verify -verbose -CAfile AppleIncRootCertificate.pem AppleWWDRCA.pem

Vendor MDM CSR

openssl genrsa -out apple-mdm-csr.key 2048
openssl req -new -key apple-mdm-csr.key -subj '/CN=MDM' -out apple-mdm-csr.csr
# GET apple-mdm-csr.der ('https://developer.apple.com/' -> 'Account' -> 'Certificates, IDs & Profiles')
openssl x509 -inform DER -outform PEM -in apple-mdm-csr.cer -out apple-mdm-csr.pem
openssl verify -verbose -CAfile AppleIncRootCertificate.pem -untrusted AppleWWDRCA.pem apple-mdm-csr.pem

Customer CSR (generated on premise for customer)

#openssl genrsa -out customer.key 2048
#openssl req -new -key customer.key -subj '/CN=MDM' -out customer.csr

Sign Customer CSR

openssl req -inform PEM -outform DER -in customer.csr -out customer.csr.der
openssl sha1 -sign apple-mdm-csr.key -out customer.csr.der.sig customer.csr.der

... prepare for Apple

base64 -w0 customer.csr.der >customer.csr.der.b64
base64 -w0 customer.csr.der.sig >customer.csr.der.sig.b64

cat <<EOF >customer.plist
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>PushCertCertificateChain</key>
        <string>
            $(<apple-mdm-csr.pem)
            $(<AppleWWDRCA.pem)
            $(<AppleIncRootCertificate.pem)
        </string>
        <key>PushCertRequestCSR</key>
        <string>
            $(<customer.csr.der.b64)
        </string>
        <key>PushCertSignature</key>
        <string>
            $(<customer.csr.sig.b64)
        </string>
    </dict>
    </plist>
EOF

base64 -w0 customer.plist >customer.plist.b64

Summary (all in one)

bash -e -c '
# Take CSR from STDIN and output base64 encoded plist for Apple
APPLE_MDM_CSR_CRT="apple-mdm-csr.pem"
APPLE_MDM_CSR_KEY="apple-mdm-csr.key"
APPLE_INTERMEDIATE_CRT="AppleWWDRCA.pem"
APPLE_ROOT_CRT="AppleIncRootCertificate.pem"
CUSTOMER_CSR_DER="/proc/self/fd/3"

TMP="$(mktemp -p /run)"
exec 3<> "$TMP"
rm -f "$TMP"

openssl req -inform PEM -outform DER -out "$CUSTOMER_CSR_DER"

base64 -w0 <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PushCertCertificateChain</key>
<string>
$(<$APPLE_MDM_CSR_CRT)
$(<$APPLE_INTERMEDIATE_CRT)
$(<$APPLE_ROOT_CRT)
</string>
<key>PushCertRequestCSR</key>
<string>$(base64 -w0 "$CUSTOMER_CSR_DER")</string>
<key>PushCertSignature</key>
<string>$(openssl sha1 -sign "$APPLE_MDM_CSR_KEY" "$CUSTOMER_CSR_DER" | base64 -w0)</string>
</dict>
</plist>
EOF

exec 3>&-'