iOS MDM配置文件签名，要使用哪个证书？ [英] iOS MDM profile signing, which certificate to use?

问题描述

好的，请查看此图表。

有两个小方框，表示应如何签名指定的个人资料。

There are two little boxes, that signify how a given profile should be signed.

在第2阶段的第1步，它说苹果颁发的证书，但它不说 苹果颁发的证书（他们发出多个）。我已经尝试我的开发人员证书和MDM（APNS）证书。这不是其中之一。有没有第三个魔法证书，我不知何故需要（我怎么得到它）？

In Phase 2, step 1, it says "Apple issued certificate", but it doesn't say which apple issued certificate (they issue more than one). I have tried my developer certificate and the MDM (APNS) certificate. It wasn't one of those. Is there a third magic certificate I somehow need (and how do I get it)?

在阶段3的步骤2中，它显示身份证书，但同样是细节。我知道的唯一身份证书是安装在设备上，使用设备的私钥，服务器应该如何使用它来签名配置文件？

In Phase 3, step 2, it says "Identity certificate", but again it's a little sketchy on the details. The only identity certificate I know of is installed on the device, using the device's private key, how is the server supposed to use that to sign a profile?

我已经得到这个工作，是通过创建我自己的自签名证书，并预安装在设备上。显然，这不是一个优雅或特别安全的方式来做事情。

The only way I've gotten this to work, is by creating my own self-signed certificate, and pre-installing it on the device. Obviously this is not an elegant or particularly secure way to do things.

后续问题

我的服务器证书由DigiCert高级保证EV根CA颁发，并在列表中： http ：//support.apple.com/kb/ht5012 ，但是iOS 6设备在签名配置文件时认为它是不可信的，但是对于SSL来说是很好的。 iOS 5设备很好。任何想法为什么？

My server certificate is issued by "DigiCert High Assurance EV Root CA" and is on the list: http://support.apple.com/kb/ht5012, but iOS 6 devices consider it "untrusted" when signing profiles, but just fine for SSL which is wierd. iOS 5 devices are fine though. Any idea why?

我真的不理解加密位。从MDM文档中：每个设备必须有唯一的客户端身份证书，您可以将这些证书作为PKCS＃12容器或通过SCEP提供，建议使用SCEP，因为协议确保身份的私钥仅存在于设备。

I don't really understand the encryption bit either. From the MDM documentation: "Each device must have a unique client identity certificate. You may deliver these certificates as PKCS#12 containers, or via SCEP. Using SCEP is recommended because the protocol ensures that the private key for the identity exists only on the device."

虽然我同意最终更安全，只有设备本身知道其私钥，它有点问题，因为2048位公钥只能使用加密大约100字节的数据，这对于尽可能小的有效载荷是不够的。

While I agree it is ultimately more secure that only the device itself knows its private key, it's somewhat problematic as a 2048-bit public key can only be used to encrypt about 100 bytes of data, which isn't enough for even the smallest possible payload.

推荐答案

先进入阶段2和阶段3

在阶段2的步骤1中，iOS设备将向服务器发送由设备证书/键（每个设备附带预装的证书/密钥，每个设备不同）。这些设备证书/密钥由Apple颁发。

In the Phase 2, step 1, iOS device will send to a server response which is signed by device certificate/key (each device comes with preinstalled certificate/key which is different for each device). These on device certificates/keys are issued by Apple.

在服务器端，您应该使用Apple Root Cetificate验证它。

On the server side, you should verify it using Apple Root Cetificate.

在阶段2，步骤1-3，您的个人资料服务将发送SCEP请求。该SCEP请求包含使设备知道应该与哪个SCEP服务器通信的信息。此SCEP服务器是您的服务器。因此，设备将与此SCEP服务器通信，并将从其请求新的身份证书。

In the Phase 2, step 1-3 your profile service will send a SCEP request. This SCEP request contains information to let device know to which SCEP server it should talk. This SCEP server is your server. So, a device will talk to this SCEP server and will request new identity certificate from it.

在阶段3，步骤2设备响应将使用此身份证书的证书/密钥进行签名。现在您应该使用您的证书颁发机构根证书验证它。 （第二阶段的另一个SCEP服务器是您的证书颁发机构的代理）

In Phase 3, step 2 device response will be signed with certificate/key of this identity certificate. And now you should verify it with your Certificate authority root certificate. (One more note SCEP server in Phase 2 is kind-of proxy to yours Certificate authority)

现在回答您的问题MDM个人资料签名，使用？

MDM个人资料可以加密和/或签名。

MDM profile could be encrypted and/or signed.

要对其加密，请使用与此设备关联的身份证书对其加密。因此，设备具有此身份的密钥，因此可以对其进行解密。

If you want to encrypt it, you encrypt it using identity certificate associated with this device. So, device which has a key for this identity, so it can decrypt it.

如果您要对其进行签名，则使用服务器密钥签名。设备应该安装了服务器证书，因此可以验证签名。

If you want to sign it, you sign with your server key. Device should have a server certificate installed, so it can verify signature.

BTW。关于这个问题。有一件事没有在这张图上显示，但通常是被请求的 - 第一步（在整个注册之前）通常是安装服务器证书（用于未来的配置文件签名验证）。如果您的服务器证书由知名的CA（例如Verisign或类似的证书）发布，您可以跳过此步骤。

BTW. On this subject. One thing which isn't shown on this diagram, but usually is requited - first step (before whole this enrollment) is usually installation of server certificate (for future profile signature verification). Potentially, you can skip this step if your server certificate is issued by well known CA (as example Verisign or something like that).

让我知道，如果您有任何后续问题。我花了一些时间了解整个OTA / MDM注册情况。

Let me know, if you have any followup questions. It took me a while to understand whole this OTA/MDM enrollment.

更新1

我不知道为什么iOS 6将您的证书视为不受信任的签名。我没有使用由着名CA签署的证书。

I don't know why iOS 6 treat your certificate as untrusted for signing. I didn't work with certificates which were signed by well known CA's.

我只有一个猜测。可能在iOS 5和iOS 6之间，他们改变了关于键链的事情。一般来说，每个应用程序都有自己的密钥链。而所有的知名证书，我相信应该存储在Mobile Safari钥匙扣中。它可能是MDM /首选项与MobileSafari在iOS 6中共享这个钥匙串，现在他们不共享它。
在这种情况下，您必须通过配置文件安装此DigiCert高保证EV根CA（将其放在正确的钥匙串中）。但是，这是个猜测。

I have only one guess. It could be that between iOS 5 and iOS 6 they changed something regarding key chain. Generally speaking, each app has it's own key chain. And all well known certificates, I believe should be stored in Mobile Safari keychain. It could be that MDM/Preferences shared this keychain with MobileSafari in iOS 6 and now they don't share it. In such case, you will have to install this "DigiCert High Assurance EV Root CA" through a profile (to put it in correct keychain). However, it's wild guess.

关于加密。首先，你是对的，如果每个设备都有自己的私钥，它的方式更安全。在这种情况下，如果任何人将窃取配置文件，他们将无法解密它（因为只有一个设备有私钥才能这样做）。这是非常关键的，如果你发送了敏感的个人资料（例如，用户名和密码的电子邮件帐户）。

Regarding encryption. First of all, you are right, if each device has it's own private key, it's way more secure. In such case, if anybody will steal a profile they won't be able to decrypt it (because only a device has a private key to do so). This is especially critically, if you are sending down profiles which are sensitive (as example, email account with both user name and password).

任何密钥（任何长度）都可以加密任何长度的数据。所有加密算法的设计都是使用相同的密钥来加密任何数量的数据。

Any key (with any length) can encrypt data of any length. All encryption algorithms are designed that way that you can use the same key to encrypt any amount of data.

非对称算法（如RSA）很少用于直接加密数据。在大多数情况下，此算法用于加密对称算法的密钥（作为示例AES），并且所有后续的加密/解密都使用AES完成。有两个原因：性能（AES比RSA快）和资源（AES比RSA少资源）。

Asymmetric algorithms (like RSA) rarely used to encrypt data directly. In most cases, this algorithm is used to encrypt a key for symmetric algorithm (as example AES) and all following encryption/decryption is done using AES. There are two reasons for that: performance (AES is faster then RSA) and resources (AES is less resource hungry than RSA).

因此，如果你需要加密您使用的配置文件 PKCS7 ，它在内部使用RSA，AES（或其他算法）。通常，你有一个库来做这个（OpenSSL或BouncyCastle）。所以，你不必弄清楚所有这些复杂性。

So, as result, if you need to encrypt profile you use PKCS7, which is internally uses RSA, AES (or other algorithms). Usually, you have a library to do this (OpenSSL or BouncyCastle). So, you don't have to figure out all these complexities.

BTW。如果您有问题不适合SO，欢迎您直接与我联系（我的个人资料中的联系信息）。

BTW. If you have questions which aren't good fit for SO, you are welcome to contact me directly (my contact info in my profile).

这篇关于iOS MDM配置文件签名，要使用哪个证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！