iOS mobileconfig 演练 [英] iOS mobileconfig walkarounds
问题描述
我已经在相当多的网站上搜索了有关使用 mobileconfig 文件通过无线方式配置 iPhone 的任何信息,并停留在某个阶段......:/这是我发现的:http://cryptopath.wordpress.com/2010/01/29/iphone-证书-缺陷/但这部分超出了我的理解
i've searched quite few sites for any intel on configuring iPhone over the air with mobileconfig files, and stuck at some stage... :/ here is what I've found: http://cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/ but this part is beyond my comprehension
使用 openssl smime 和您从 Verisign 获得的 P12,签署mobileconfig 文件包括完整的 CA 链并将其放到公共 HTTP 服务器
Using openssl smime and the P12 you got from Verisign, sign the mobileconfig file including the complete CA chain and put it onto a public HTTP server
如果我理解正确的话,我要做的是:
1) 从 Verisign 获得证书(根据从 openssl 生成的 key.pem 和 request.pem 获得)
2) 在 iPhone 配置实用程序中创建 .mobileconfig 文件(我是否必须填写其中的所有设置,还是只有这个文件就足够了?)
3) 还有……这个 CA 链是什么?
If I understood correctly what I have to do is:
1)obtain a certificate from Verisign (got it based on key.pem and request.pem generated from openssl)
2)create .mobileconfig file in iPhone Configuration Utility (do I have to have all settings in it filled or it's enough to just have this file?)
3) and... what is this CA chain?
我也在这里找到了一些东西:http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
在这里,我也被这个连锁店的东西困住了……有没有人知道/知道,最好是像我这样的菜鸟的逐步解决方案?;)(最想要的显然是创建整个证书内容的解决方案,因为后面的教程非常简单)
also I have found stuff in here: http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
Here I'm also stuck with this chain stuff... does anybody have/know, preferably step-by-step solution for noobs like me? ;) (most wanted is obviously solution for creating whole certificate stuff, because later is pretty straigh-forward tutorial)
推荐答案
CA 链的基本概要:假设您有一个声称您是 example.com 的安全证书.但没有人会相信你.因此,您会得到人们信任的人的签名(在上面的示例中为 Verisign).现在,我相信您是 example.com,因为威瑞信通过签署您的证书为您担保.
A basic rundown of CA chains: Say you have a security certificate claiming that you are example.com. But no one is going to believe you. So you get that signed by someone that people do trust (Verisign in your example above). Now, I believe that you are example.com because Verisign is vouching for you by signing your certificate.
通常威瑞信不会使用他们的主要根"证书对其进行签名.相反,他们将使用二级 CA 对其进行签名,而该二级 CA 由我信任的根证书进行签名.
Usually Verisign will not sign it with their main "root" certificate. Instead, they will sign it with a second-level CA, and that second-level CA is signed by the root certificate which I trust.
这是一个证书链:您 (example.com) 由二级 CA 签名,该 CA 由根 CA 签名.
That's a certificate chain: You (example.com), are signed by a second-level CA, which is signed by a root CA.
因此,在给我您的证书时,您还需要提供整个链,以便我可以一直验证到顶部,看看我是否真的信任您.
So, when giving me your certificate, you also need to provide the whole chain so I can validate it all the way to the top and see if I actually trust you.
因此,以下命令获取您的 .mobileconfig 文件并使用您的证书对其进行签名.只要你提供整个链条,我就相信你的签名.
So, the following command takes your .mobileconfig file and signs it with your certificate. And I will trust your signature, so long as you provide the whole chain.
文件:
* company.mobileconfig <-- 您制作的 .mobileconfig 文件
* signed.mobileconfig <-- 在命令完成后创建的签名文件
* server.crt <--您从受信任的 CA 获得的证书
* server.key <--您的私钥文件与上面的证书一起使用(保持安全)
* cert-chain.crt <-- 链中的任何证书一直到人们信任的顶级 CA
Files:
* company.mobileconfig <-- your .mobileconfig file you made
* signed.mobileconfig <-- the signed file that gets created after the command is done
* server.crt <-- your certificate which you got from a trusted CA
* server.key <-- your private key file which goes with the certificate above (keep safe)
* cert-chain.crt <-- whatever certificates are in the chain up to the top level CA that people trust
命令:
openssl smime -sign -in company.mobileconfig -out signed.mobileconfig
-signer server.crt -inkey server.key -certfile cert-chain.crt
-outform der -nodetach
这篇关于iOS mobileconfig 演练的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
