We are looking for an opportunity to request and enroll certificates on Android and iOS Devices with certutil. Unfortunately we can't use a MDM. Requesting a certificate, exporting and sending via mail or getting it via usb to the device is also not allowed.
Now we are running a working CA and we export the certificate from the computer that requested the certificate and import it to the mobile device. But we can't continue with that workflow.
The new workflow should be as follows:
User with Android/iOS Device goes to http://xxxxxxxxx
Website asks for some input. for example user name, department, device name and operating system (checkbox?).
This input should now be used to request and enroll a certificate to a specific device running a specific operating system.
Certificate installed on the device.
Is this even possible? What do I need for that? How can I run certutil on a webpage? My scripting/programming experience is nearly 0.
Related
I am implementing windows phone MDM using windows phone 8 enterprise DM Protocol. I succeed in Discovery phase and Certificate enrolment policy web service. But in Certificate enrolment web service process i am facing problem.
While creating provisioning XML i embedded my domain CA and intermediate certificates. I also added Client certificate which i got request from device. I totally converted into base 64 format and i am sending response to the device(RequestSecuirtyTokenResponse). I am using Fiddler tool for seeing logs .
I am not getting any response from the device.
My doubts are 1) what certificates i need use in provisioning XML . 2) what is client certificate.
I am using valid ssl not self sign certificate. Still i need any certificates
Any advice would be greatly appreciated. Please guide me
finally after one month i succeed enrolment.
We have to use windows phone developer power tool for debugging.
For my questions i am answering as below.
1) We have to use Root certificate(CA) that is valid CA certificate. We need to sign client certificate(fly from device) with server certificate and key certificate. Be careful about finger print.
2) No extra certificates need for enrolment. Above two are mandatory.
I hope above will helps to others.
I'm currently learning to develop for iOS and reached the points where i want to play around with some push-notifications.
I was able to use the developing certificate to register the iPhone for Push-Notifications but now i want to establish a connection between my debian rootserver and the APNS (for the first try i'll connect to the sandbox-server).
Some tutorials showed me how to receive a certificate for my Mac but therefore I need a valid certificate for my server or am I wrong with this assumption?
As far as I know the APNS works with apple certificates only. In short:
Create an app id in provisioning portal
Enable it for push notifications
Generate certificates following the usual procedure.
Combine the generated certificate and private key into one .pem and us it in communicating with apple.
This tutorial was all I needed:
http://www.raywenderlich.com/3443/
I want to support HTTPS in my web application. Since the certificates from Verisign are costly, I decided to use openssl for generating certificate. Here is the link I referred https://community.jboss.org/wiki/JBossAS7ConfiguringSSLOnJBossWeb
When I tried to access the application in browser I got the error "The site's security certificate is not trusted". Here is the screenshot,
Please let me know how I can solve this error? Is it possible to use openssl in production?
The issue is that your self signed certificate is not 'trusted' by the browser. It does not recognise it as signed by one of the certificate authorities it trust.
You have two options - tell the browser it can trust the certificate or tell the browser that it can trust the entity which issued it (meaning that if you use the same certificate to sign other certificates; that those also get trusted).
See http://googlechrometutorial.com/google-chrome-advanced-settings/Google-chrome-ssl-settings.html for more information. Once you are in 'Manage certificates' you can import your own ones.
Every browser, every users, will have to go through those steps. So that is practical logistical limit on how much 'production' you can run with this.
Do check out the various 'free' certificates; they are very low cost.
MAC SOLUTION: The best way that I've found for manually trusting specific site certificates is to use Safari. See, when you manually trust a certificate in Safari, it requires you to enter your OS X account password. Safari does this because it stores the certificate details in Keychain Access, a system application that manages all vital data you store on your computer.
This is significant because Chrome also communicates with Keychain Access. Once the program has a record of the certificate being trusted by Safari, Chrome will also trust the certificate. You may have to restart the Chrome browser after activating the certificate in Safari to get this to work correctly.
Happy browsing!
I am little confused about the MDM, wish that someone could help me here. I have studied the docs from the Apple website regarding the iOS MDM,but still I feel puzzled ,I have some questions.
Whether MDM server is communicating APNS every-time when it needs to execute command ?
Is it very complex to setup our own MDM server and how to setup our own MDM server ?
Thank you in advance.
1) the general idea is that you send one request via APNS and then respond with a command when the device 'phones home' to your MDM server. Once the device responds to your command, you can send another command back in response and so on until the device has executed all the commands at which point your server should respond with an empty HTTP response.
2) That entirely depends on what your definition of complex is! I have created 2 MDM 'servers' in the past year and it's not impossible but quite complex to detail.
MDM server communicates only when it needs to send a command to the device.
Here is how it goes,
MDM server contacts APNS server with MDM payload.
APNS server triggers a wake up on device to check server for MDM command.
Mobile device contacts the MDM server for command to be executed.
Implementing MDM is simple if you have a enterprise account.
Get your MDM certificate.
http://www.blueboxmoon.com/wordpress/?p=877
Using IPCU create a profile and push it on mobile.
With this the device push magic will be passed to the checkin URL you specified in the config profile.
Then trigger the mdm payload using JAVAPNS with push magic and token.
JavaPNS - https://code.google.com/p/javapns/
Create a simple page that will respond to device command.
Refer Blackhat guide for full documentation.
https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf
or this http://darthnull.org/media/papers/MDM_CommandReference.pdf for commands reference.
The quiz can't be viewed by any other users, unless the "Secure URL" is updated. But I can't figure out how to do that.
This simply means you must have an SSL certificate on the domain that hosts your canvas page. I would recommend rapidSSL.
Here is a general overview of what this entails: http://webnet77.com/SSL-certificates.html
Here is what we do:
get yourself host account with dedicated IP or better linux dedicated server
ask your host to generate Certificate Signing Request or do it yourself use openssl (don't know how to do it on windows)
get cheap ssl certificate (like rapidSSL) 9.90 per year or something just domain verification, google it.
send them your CSR
wait like 10 minutes
find your cert in your inbox attached
install it according to your server (Apache uses mod_ssl)
test it