Official Blog‎ > ‎

iOS MDM vendor CSR signing

posted Dec 18, 2011, 11:04 PM by Softhinker Qin   [ updated Dec 22, 2011, 8:24 PM ]

On 3rd of October 2011, Apple announce its Mobile Device Management(MDM) reference available on iOS provisioning portal. However, the sample code in the reference is fragmentary, especially on 'MDM Vendor CSR Signing Overview' section, which is to generate pList.

Softhinker works out below guidline to facilitate developers on pList generating process :
- There are two roles involved in the entire process : vendor and customer.
- As a vendor, 
- create a CSR using any toolkit, i.e. KeyChain Access on MacBook, then export private key as 'vendor.p12'
- log in to Apple Member Center, and go to 'iOS Provisioning Portal'
- select 'Certificates' on the left navigation bar, and click 'Other' tab on the center.
- follow the instruction on that page, and upload the CSR you created.
- then the certificate for you as a MDM vendor will be available to download on the 'Other' tab. And download it.
- execute below openssl command to convert MDM vendor certificate, WWDR certificate, and Apple root certificate to PEM format one by one : 
openssl x509 -inform der -in mdm_identity.cer -out mdm.pem
openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem
openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem
- As a customer,
- create a CSR using any toolkit, i.e. openssl : 
openssl genrsa -des3 -out customerPrivateKey.pem 2048
openssl req -new -key customerPrivateKey.pem -out customer.csr
- convert customer.csr to der format : 
openssl req -inform pem -outform der -in customer.csr -out customer.der
- Then use the attached Java program to generate encoded plist, and upload to
- remember to replace the placeholder in the package with your own ones : 
customer.der, vendor.p12, mdm.pem, intermediate.pem, root.pem
- please note that generated plist.xml is not the one to upload, plist_encoded is.

Currently, iOS MDM Push Cert portal has a problem so that all plist uploaded will get a 'Invalid Certificate Signing Request', and a fix is supposed to be installed on January 2012.

Please like or +1 if you find it helpful. Thanks!

Softhinker Qin,
Dec 18, 2011, 11:04 PM