We are following the below article for over the air enrollment and profile delivery feature
http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1
We could able to complete steps in Phase 1 and Phase 2. Once the device acquires the certificate from SCEP server(as part of phase 2), it sends the response back to the MDM server. This response is signed by the new certificate.The response consists of signature, plist content and certificate in binary format. Ideally, we need to extract the public key from this certificate and use that to sign the configuration profile (.mobileconfig). However we have difficulty extracting the certificate from the response. Looks like the certificate is corrupted somehow. We tried different encodings. But it didn't help :(
Has anyone successfully extracted the certificate in Phase #3.
Really appreciate any help in this regard.
Thanks
The response from the device is a DER-encoded SMIME string. You can use openssl smime to extract the public key.
if you are using C#, this can be accessed as part of the Pkcs library.
using System.Security.Cryptography.Pkcs
...
//get the data as a byte[]
var signer = new SignedCms();
signer.Decode(input)
//signer.Certificates[0] contains the cert
To extract the certificates you can use openssl cli :
openssl pkcs7 -print_certs -in requestFromDevice.p7s -inform DER
You can then easily parse the output using stdout.split('-----END CERTIFICATE-----') & stdout.split("\n") (in javascript).
Related
Examples using powershell use [Security.Cryptography.X509Certificates.X509Certificate2] to sign data. The data present here is in the form of what I believe is a Json Web Key (JWK).
How do you convert a JWK to a compliant cert that can be used by X509Certifate2?
https://www.googleapis.com/oauth2/v1/certs gives you the X509 certificates in PEM format, but I believe this endpoint is deprecated.
I ONLY have .crt file with me which I purchased from Comodo. No private key or any thing. How can I use this to sign my code and get rid of "publisher unknown" issue in my installer. I have used Inno-Setup for creating the installer too. Code is in C Sharp. I tried to use sign tool and openssl but I don't have any other file than this user.crt file. I just can get .cer format using .crt and thats all. Appreciate any help
Usually, you need sign the application from PC where you are registered Comodo certificate. The private key saved by your browser in the local storage.
You cannot sign files with a public key only.
You need the private key.
If it were possible to sign files with a public key only, anyone could sign malicious content with your public key.
We are trying to implement the following workflow:
generate private key in browser, using window.crypto
create a PKCS10 certificate signing request in the browser
send the PKCS10 to a server
the server signs the request and returns an x509 certificate in PEM format
the browser stores the certificate for itself
The same thing already works using the keygen tag in the browser and using SPKAC instead of pkcs10. Now, however the browser does not store the certificate returned, just wants to save them. When we try to import the certificate to the browser by hand, we got "the private key for the certificate is missing or invalid".
We suspect that the private key generated by window.crypto.generateKey() does not get stored in the browser's keystore. How to get the private key stored in the keystore?
The implementation of the first two steps is based on http://blog.engelke.com/2014/08/23/public-key-cryptography-in-the-browser/
Update: As some browsers use the OS keystore, I am also looking into the possibility to save the key into the OS keystore through some other way.
What I have figured out so far:
Java cannot be used according to this question: Tell Java to use Windows keystore
In Windows one can use ActiveX controls.
Summary: Found no standard cross-browser and cross-OS way to generate and meaningfully use X509 certificates. There are combinations (new chrome versions (dropping keygen support) on non-windows OS) where there is no way to do this.
How to create Certificate Request for CVC certificate as like X.509 (PKCS#10) in Java to send as a certificates signing request to EJBCA Certificate Authority?
Thanks in advance
You can use the cert-cvc library, also open source. This is part of EJBCA and comes with sample code. You can find more information and download at the ejbca.org site.
I have followed the instruction for creating x509 cert, however, after uploading the cert, i get
Your x.509 certificate is invalid. Please upload a new certificate
Anyone seeing the same?
Can you please provide more details about your certificate:
1) Was it a valid X.509 certificate, base64 encoded ( PEM ) format with 1024 bytes key size ?
Also the link you posted is incorrect for the documentation. It is here :
Create X509 Certificate
2) Is the error occuring at the time of uploading CERT or at the time of registering ( clicking on the submit button ) ?
You can always just export the public key only from the PEM and upload that.
You would need to submit a support ticket for us to investigate your cert as we would need to take a look at it.
I have followed the .Net self sign instructions with no issues. However others have had issues with PEM. Follow them to the letter, or like I said export the pub cert as text. that should work.
regards,
Jarred