iOS mobileconfig walkarounds [英] iOS mobileconfig walkarounds
问题描述
我搜索了很少的网站的任何英特尔配置iPhone的空气与mobileconfig文件,并停留在某些阶段...:/
这里是我发现:
< a href =http://cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/> http://cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/
,但这部分超出我的理解
i've searched quite few sites for any intel on configuring iPhone over the air with mobileconfig files, and stuck at some stage... :/ here is what I've found: http://cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/ but this part is beyond my comprehension
使用openssl smime和您从Verisign获得的P12
mobileconfig文件包括完整的CA链并将其放在
a公共HTTP服务器
Using openssl smime and the P12 you got from Verisign, sign the mobileconfig file including the complete CA chain and put it onto a public HTTP server
如果我正确理解我要做的是:
1)从Verisign获得证书(基于从openssl生成的key.pem和request.pem获得)
2)在iPhone配置实用程序中创建.mobileconfig文件(我必须在其中填充所有设置或足够只有这个文件?)
3)和...什么是CA链吗?
If I understood correctly what I have to do is:
1)obtain a certificate from Verisign (got it based on key.pem and request.pem generated from openssl)
2)create .mobileconfig file in iPhone Configuration Utility (do I have to have all settings in it filled or it's enough to just have this file?)
3) and... what is this CA chain?
也有我在这里找到的东西:http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
这里我也困住了这个链条的东西...有没有人知道,最好是一步一步的解决方案像我这样的noob? ;)(最想要的是明显的解决方案,创建整个证书的东西,因为后来是相当straigh-forward教程)
also I have found stuff in here: http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
Here I'm also stuck with this chain stuff... does anybody have/know, preferably step-by-step solution for noobs like me? ;) (most wanted is obviously solution for creating whole certificate stuff, because later is pretty straigh-forward tutorial)
推荐答案
CA链断开:假设您有一个安全证书声称您是example.com。但没有人会相信你。所以你得到的人签署的人的信任(在上面的例子中的Verisign)。现在,我相信你是example.com,因为Verisign通过签署你的证书为你付费。
A basic rundown of CA chains: Say you have a security certificate claiming that you are example.com. But no one is going to believe you. So you get that signed by someone that people do trust (Verisign in your example above). Now, I believe that you are example.com because Verisign is vouching for you by signing your certificate.
通常,Verisign不会使用他们的主根证书签名。
Usually Verisign will not sign it with their main "root" certificate. Instead, they will sign it with a second-level CA, and that second-level CA is signed by the root certificate which I trust.
这是一个证书链:你是一个证书链(example.com)由二级CA签署,由根CA签名。
That's a certificate chain: You (example.com), are signed by a second-level CA, which is signed by a root CA.
因此,当给我您的证书时,您还需要提供整个链,所以我可以验证一路到顶部,看看我是否真的信任你。
So, when giving me your certificate, you also need to provide the whole chain so I can validate it all the way to the top and see if I actually trust you.
所以,以下命令需要你的.mobileconfig文件和标志它与您的证书。
So, the following command takes your .mobileconfig file and signs it with your certificate. And I will trust your signature, so long as you provide the whole chain.
档案:
* company.mobileconfig< - your。您创建的mobileconfig文件
* signed.mobileconfig < - 在命令完成后创建的签名文件
* server.crt < - 您获得的证书从可信任的CA
* server.key< - 与上述证书一起使用的私钥文件(保持安全)
* cert-chain.crt<
Files:
* company.mobileconfig <-- your .mobileconfig file you made
* signed.mobileconfig <-- the signed file that gets created after the command is done
* server.crt <-- your certificate which you got from a trusted CA
* server.key <-- your private key file which goes with the certificate above (keep safe)
* cert-chain.crt <-- whatever certificates are in the chain up to the top level CA that people trust
命令:
openssl smime -sign -in company.mobileconfig -out signed.mobileconfig
-signer server.crt -inkey server.key -certfile cert-chain.crt
-outform der -nodetach
这篇关于iOS mobileconfig walkarounds的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
