Profiles installed by MDM service are showing as "Not Verified" after upgrading the device to iOS 6 - certificate

Profiles installed by MDM service are showing as "Not Verified" after upgrading the device to iOS 6. These profiles were signed by a InCommon cert issued by AddTrust before being pushed to the devices. They were showing as "Verified" before the upgrade. Any ideas what might have caused this?

I got exactly the same problem so it is probably a bug in the iOS profile system because the very same SSL certificate is trusted by the browser. Note: Our certificate is of the "*.host.org" type.

This might be an untrusted CA in the certificate chain from the cert provider you bought it from. Looks like some CAs are untrusted or missing from iOS6. I had the same problem and included the whole of the cert chain in our cert signing bundle and the issue was resolved.
Suggest you open a support case with your cert provider to see if it's a known issue or dig around to see if you can find a list of trusted CAs used in iOS6 - I couldn't find one. Synching the device to iTunes may also refresh the CA list but this didn't work for me this time.

I have exactly the same problem as your.
My chain is GeoTrust -> RapidSSL -> MyCert. I have included the full chain in my .crt, but it stills show "not verified" when I try to install the configuration profil.
I don't know how to insert the whole path.
I use an openssl command to sign my file :
openssl smime -sign -signer #{crt_path} -inkey #{private_key_path} -nodetach -outform der -in #{file_to_sign_path} -out #{file_signed_path}
My crt_path is a .crt file, including the three certs.
EDIT
I found out the problem with my openssl command. My full chain was in the #{crt_path} but was not used by the command. I added the *-certfile #{crt_path}* and things works well !

Including the intermediate cert in the pkcs7_sign call (php openssl_pkcs7_sign() in my case) revolved the problem.

Yes! Adding the entire path (-root) did the trick.
Verify that the signature created by the MDM SW actually contains the path. Since it wasn't needed before...

Related

ClickOnce VSTO solution signed with mage.exe - certificate not trusted error

I'm trying to deploy a VSTO solution, which are 2 addins for Word and for Outlook, using ClickOnce. Due to our deployment infrastructure/practices, I cannot publish it using Visual Studio, it is instead built on a build server and deployed via a deployment server.
For local development, a self-signed certificate is used. The deployment worked with this self-signed certificate (if the the self-signed certificate was installed on the machine), but now I want to add a real company certificate so that the application can be deployed to the users.
During deployment, after the configuration files are poked, they are updated and re-signed with the real certificate. However, this produces the following error during installation:
System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for <app name> or its location is not trusted. Contact your administrator for further assistance.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName, TrustStatus status)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.ProcessSHA1Manifest(ActivationContext context, DeploymentSignatureInformation signatureInformation, PermissionSet permissionsRequested, Uri manifest, ManifestSignatureInformationCollection signatures, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
The Zone of the assembly that failed was:
MyComputer
The only lead I have is that, after re-signing, the values in publisherIdentity element are not changed (both .vsto and .manifest), only the Signature element has values corresponding to the new certificate.
Following commands are used to sign the .vsto and .manifest files (as far as I can see from the deployment scripts):
mage.exe -Update "[path to .vsto/.manifest]"
mage.exe -Sign "[path to .vsto/.manifest]" -CertHash [certificateHash]
where [certificateHash] is the thumbprint of the real certificate and is used to look up the certificate in certificates stores. I'm told this is security measure so that the certificate file doesn't have to be distributed along with the deployment package.
After signing, the files have their Signature values changed, but the publisherIdentity still has the name and issuerKeyHash of the self-signed certificate.
I tried poking these two values prior to re-signing, but I'm don't know how to calculate the issuerKeyHash.
Any advise on how to proceed would be much appreciated!
Edit:
I was trying out other mage.exe parameters, like '-TrustLevel FullTrust' (which didn't have any effect) or '-UseManifestForTrust True' along with Name and Publisher parameters, which yielded this error message (which is different than the one mentioned above).
************** Exception Text **************
System.InvalidOperationException: You cannot specify a <useManifestForTrust> element for a ClickOnce application that specifies a custom host.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.GetManifests(TimeSpan timeout)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
.
The certificate that the app is signed with isn't trusted by Windows. As a work around,
Right click on setup.exe,
Select properties then the Digital Signatures tab
Select Vellaichamy/user then click Details
Click View Certificate and Click Install Certificate.
Do not let it automatically choose where to store the sert, install the certificate in the Trusted Root Certification Authorities Store. Once the cert is installed the app should install...
Take a look at the Granting Trust to Office Solutions article which states the following:
If you sign the solution with a known and trusted certificate, the solution will automatically be installed without prompting the end user to make a trust decision. After a certificate is obtained, the certificate must be explicitly trusted by adding it to the Trusted Publishers list.
For more information, see How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications.
Also you may find the Deploying an Office Solution by Using ClickOnce article helpful.
We have found what the problem was. We used a version of mage.exe tool from Windows SDK from a folder named 7A (I don't remember the full paths, sorry). A colleague then found another folder with versions 7A, 8 and 8A. Once we took the .exe from 8A folder, the installation works as expected.
Try copying all the necessary files to the client computer then install. If you can avoid installing from the network drive you might be able to avoid this exception.

CouchDB SSL CRT to PEM files

I have tried several ways to get some PEM files to be used by CouchDB. I have generated a cert with powershell, exported it with key to a pfx and then used openssl to convert to 2 pem files and installed them in Couch. With this approach it seems to work in IE11, but it doesn't work with firefox or other browsers. Firefox produces this error:
The key does not support the requested operation. (Error code:
sec_error_invalid_key)
I've also gotten a free ssl cert from ssl.com, (they gave me three CRT files) and tried converting it using openssl, but to no avail.
I've also followed the instructions on the page from CouchDB to generate a self signed cert specifically for this purpose, but it will not load the page. (http://docs.couchdb.com/en/latest/config/http.html#config-ssl about half way down)
Has anybody had success with this? How do I get my certs into a format that will play nice with Couch and will all browsers?
UPDATE:
Now I'm getting this error
A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.
Not sure if this is a step forward or backwards...
It seems like CouchDB versions predating 1.7 or 1.6 are not able to have intermediate certificates specified for certificate verification. Since you are writing about having received three .crt files, (s)ome of those might be required as intermediate certificate(s). CouchDB not knowing about them can be the cause of your problem.
Apparently, one way to work around this is to concatenate your certificate file along with the intermediate certificate file(s). Simply cat them together like
$ cat yours.crt theirs.crt > couchdb.crt
...and use CouchDB's certfile configuration option to point to couchdb.crt's location.
If you prefer to convert .crt to .pem first, use sth like
$ openssl openssl x509 -in yours.crt -inform der -outform pem -out yours.pem
In a new enough version, you can probably use an intermediate certificate by setting CouchDB's cacertfile option. Have a look at this for further information.

iOS Push Notifications not working for Distribution

I have tried the Push Notification for my application for development and it's working fine. When I am generating the .p12 file of production(distribution) it's getting created. After deployin .pem file on the server it's throwing and error.
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server s
ession ticket A: sslv3 alert certificate unknown):" }
Server : RoR(Ruby on Rails)
Any help would be very appreciable.
Note : For the development .p12 it's working fine. The issue is when I'm deploying distribution .p12. Please suggest what may I be missing.
Thanks and Regards
check this in your sever code
gateway.push.apple.com, port 2195 for distribution
gateway.sandbox.push.apple.com, port 2195
Log-in to the iPhone Developer Program Portal.
Choose App IDs from the menu on the right.
Create an App ID without a wildcard.
Click the Configure link next to this App ID and then click on the button to start the wizard to generate a new Development Push SSL Certificate. for development (or) to generate a new Production Push SSL Certificate for distribution.
Download this certificate and double click on aps_developer_identity.cer to import it into your Keychain
Launch Keychain Assistant and click on My Certificates on the left
Expand Apple Development Push Services and select Apple Development Push Services
Right-click and choose "Export 1 elements..." and save as apns-cert.p12.
AND your private key in the same expand area
Right-click and choose "Export 1 elements..." and save as apns-key.p12.
8.Open Terminal and change directory to location used to save .p12 and convert the PKCS12 certificate bundle into PEM format using this command
i). openssl pkcs12 -clcerts -nokeys -out apns-cert.pem -in apns-cert.p12
ii). openssl pkcs12 -nocerts -out apns-key.pem -in apns-key.p12
here u have to give some key for access into the php code.
Remove passphrase
iii). openssl rsa -in apns-key.pem -out apns-key-noenc.pem
here u have to give same key for Remove passphrase.
finally
iv). cat apns-cert.pem apns-key-noenc.pem > apns-dev.pem.
Now you can use this PEM file as your certificate in ApnsPHP!
#Learner
If all other options are not working then you should check how you are exporting your p12 file. You should export the p12 file which is associated with Apple production Certificate, I hope it will work.. as its worked for me !!!
If you want to skip verification, you can use this.
require 'net/http'
require 'openssl'
class Net::HTTP alias_method :origConnect, :connect
def connect
#ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
origConnect
end
end
source: How to get rid of OpenSSL::SSL::SSLError
But since we want to be secure you should use the follow
ENV['SSL_CERT_DIR'] = '/usr/share/ca-certificates/'
More solutions at OmniAuth & Facebook: certificate verify failed
I solved it. It was a .p12 file error. I was not creating the .p12 which I had to use.
Thanks !!
I was using gem 'rpush', which took pem file from the credentials folder & stored it in database. My solution was to delete all the old Rpush::Apns::App records from database and regenerated records after updating pem file in my credentials folder.
app = Rpush::Apns::App.new
app.name = "ios_app"
app.certificate = File.read("/path/to/sandbox.pem")
app.environment = "sandbox" # APNs environment.
app.password = "certificate password"
app.connections = 1
app.save!
n = Rpush::Apns::Notification.new
n.app = Rpush::Apns::App.find_by_name("ios_app")
n.device_token = "..." # 64-character hex string
n.alert = "hi mom!"
n.data = { foo: :bar }
n.save!

apple push notifications - no valid 'aps-environment' have tried all solutions I've seen on web?

I'm tearing my hair out trying to get push notifications to work! I'm following this tutorial to basically no avail. I've deleted xcode several times, redone the whole apple dev certificate, cleaned out my login keychain a few times. This has helped a few issues, but at the end I'm still stuck.
What I think I need to do (from reading other people's experience with this):
1) My openssl cert and key need to be talk to the apple server
2) The app id with this openssl cert has a provisioning profile associated with it.
3) The build (in xcode) needs to have the proper provisioning profile associated with it
4) The build identifier (in xcode) needs to have the same text as the application id with the provisioning profile
4) ???
As far as I can tell, all of this is ok:
My ssl certificate + key talk nicely to the apple server (ignore the error, I still get a prompt eventually):
MacBook-Pro:apple_dev_certification nflacco$ openssl s_client -connect
gateway.sandbox.push.apple.com:2195 -key xxx.pem -cert xxx.pem Enter
pass phrase for xxx.pem: CONNECTED(00000003) depth=1 /C=US/O=Entrust,
Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009
Entrust, Inc./CN=Entrust Certification Authority - L1C verify
error:num=20:unable to get local issuer certificate .....
2,3,4) When I create a new project, it never gets the right app ip (build settings->info-bundle identifier). If my provisioning profile matches 'com.xxx' then the app will always be 'com.xxx.FOO', so the default IOS Team Provisioning Profile is selected. I run the app like that, and get:
2011-10-22 22:42:45.086 VVV[3552:707] Failed to get token, error:
Error Domain=NSCocoaErrorDomain Code=3000 "no valid 'aps-environment'
entitlement string found for application" UserInfo=0x16d140
{NSLocalizedDescription=no valid 'aps-environment' entitlement string
found for application}
4 contd) I want to use my provisioning profile that uses my app id with push enabled, so I change the app identifier to 'com.xxx', and select the proper profile in the code signing option in the build menu. Install it on my iPhone, same thing :(
The only things I can think of:
My provisioning profile is not correct? I've made a new one several
times, deleted the all existing ones in xcode organizer, but this
hasn't helped.
Code is still getting signed with the Team Profile instead of my new
one? Is there a way to ensure this?
Any ideas on what I should do here? This can't be this complicated. Should I just wipe my HD and reinstall from scratch and hope it works?
You know what it was? My app id.
foo.bar is treated as foo.bar.* (which is not permitted)
you have to have foo.bar.xxx
I think for push you need an Entitlements.plist file that has an aps-environment key, with a value of "production". I just got finished getting this working (again) for my app. Some other answers here helped me get the Organizer window to pop up after I did the Archive, but then I was getting your error.
I also had to quit & restart XCode with some frequency, touch settings that didn't actually change, delete the old, pre-push certificate and add the new one, etc etc. A lot of the settings in XCode didn't actually change, but it seems like touching them caused it to start working.

Apple Push Notifications, how do I properly export my cert?

I can't seem to figure out how to properly export my cert for use in my iOS app with push notifications. I'm using the following cert, downloaded from the Certificates section of the iOS Provisioning Portal.
I'm then following one of the many tutorials I've found all over the web that are all different by the way, to get my cert into a .pem format for use in ruby-apns.
First I export it from the Keychain:
After I give it a name and a password I perform the following commands in the terminal*:
openssl pkcs12 -in cert.p12 -out apple_push_notification_dev.pem -nodes -clcerts
*note: this isn't the only way I've tried this, just the latest, I have also tried via the instructions at the following urls:
http://blog.boxedice.com/2010/06/05/how-to-renew-your-apple-push-notification-push-ssl-certificate/
http://blog.boxedice.com/2009/07/10/how-to-build-an-apple-push-notification-provider-server-tutorial/
http://code.google.com/p/apns-sharp/wiki/HowToCreatePKCS12Certificate
http://wiki.cs.unh.edu/wiki/index.php/Using_the_Apple_Push_Notification_Service
Not a single one of these solutions work. I'm sitting here looking at the following error from the console when I try to use ruby-apns:
read finished A: sslv3 alert certificate unknown (OpenSSL::SSL::SSLError)
And essentially every other server solution I've found has told me my certificate is incorrect or that there's a problem with it as well.
Am I doing this wrong?
===============================
Overnight Courtesy Bump Stealth Edit
So I beat my head against the wall last night, and actually came across Apple's own instructions for doing this. It's almost the exact same, and I tried it to the same tune. Nevertheless, here is the latest attempt from this link:
openssl pkcs12 -in CertificateName.p12 -out CertificateName.pem -nodes
(1) First you need to set the configuration for your app ID to enable push notification service. You can check in the image.
(2) Then You can install the certificate and intall in your keychain in your machine.
(3) Here you are exporting two files. Instead of that you just need to export the private key as shown in the screenshot.
(4) Now you can export the private key and store with any name you want in .p12 format as shown in the screenshot below.
(5) Then follows all other steps as you know very well like you mentioned above.
openssl pkcs12 -in CertificateName.p12 -out CertificateName.pem -nodes
Please let me know if you still have any question or if you are not able to solve then let me know.