Creating 1 certificate for signing, 1 certificate for Encryption using OpenSSL :
NB. Assuming that the environment doesn’t contain Microsoft CA server. If you have Microsoft CA server please check this article: https://www-secure.symantec.com/connect/articles/ios-profile-security-how-sign-and-encrypt-ios-configuration-profiles
- Please Note the files names & extensions while performing the below steps, mixing the files up might cause the implementation to fail.
Introduction
Signing Certificates ensure the integrity of configuration profiles by preventing tampering. They are created from a Root Certificate through a certificate authority.
Two Signing Certificates must be generated, one for iOS devices and one for any machine running Athena Services.
- Signing Certificate with Private and Public Keys- placed on any machine running Athena Services, allowing machines to sign configuration profiles before they are sent to iOS devices.
- Signing Certificate with Public Key- placed on all iOS devices, allowing devices to recognize and accept configuration profiles signed using the Signing Certificate with Private and Public Keys.
Encryption Certificates ensure that information inside of configuration profiles cannot be read by a third-party, and must be used in conjunction with Signing Certificates. Encryption Certificates are created from a Root Certificate through a certificate authority. Two Encryption Certificates must be generated, one for iOS devices and one for any machine running Athena Services.
- Encryption Certificate with Private and Public Keys- placed on all iOS devices, allowing devices to decrypt and install configuration profiles encrypted using the Encryption Certificate with Public Key.
- Encryption Certificate with Public Key- placed on any machine running Athena Services, allowing machines to encrypt configuration profiles before they are sent to iOS devices.
Get OpenSSL for windows from this link: http://downloads.sourceforge.net/gnuwin32/openssl-0.9.8h-1-setup.exe
After the installation create a folder called “mms” on C drive to store the created certificates.
Creating certificates:
Create a CA certificate
openssl genrsa -des3 -out c:\mms\ca.key 4096
openssl req -new -x509 -days 3650 -key c:\mms\ca.key -out c:\mms\ca.crt -config file -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf"
Converting the CA certificate to DER
openssl x509 -outform der -in c:\mms\ca.crt -out C:\mms\CA.der
Creating a signing certificate
openssl genrsa -des3 -out C:\mms\sign.key 4096
openssl req -new -key C:\mms\sign.key -out C:\mms\sign.csr -config file -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf"
openssl x509 -req -days 365 -in C:\mms\sign.csr -CA C:\mms\ca.crt -CAkey C:\mms\ca.key -set_serial 01 -out C:\mms\sign.crt
Creating an encryption certificate
openssl genrsa -des3 -out C:\mms\encrypt.key 4096
openssl req -new -key C:\mms\encrypt.key -out C:\mms\encrypt.csr -config file -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf"
openssl x509 -req -days 365 -in C:\mms\encrypt.csr -CA C:\mms\ca.crt -CAkey C:\mms\ca.key -set_serial 01 -out C:\mms\encrypt.crt
Export the signing Certificate for installing on MDM servers
openssl pkcs12 -export -out C:\mms\sign.pfx -inkey C:\mms\sign.key -in C:\mms\sign.crt
Export the encryption Certificate with its key for deployment on iOS
N.B. A passphrase has to be used for the device to accept the certificate.
openssl pkcs12 -export -out C:\mms\encrypt.p12 -inkey C:\mms\encrypt.key -in C:\mms\encrypt.crt
Importing Signing, encryption and CA certificates on all MDM servers
- Open MMC certificates console
- Under "Personal", "Certificates" , right click > All tasks > Import
- Browse to import the following 3 Certificates (encrypt.crt, Sign.pfx & ca.crt) NB. You need to enter the password set previously for “sign.pfx”
Configuring Mobile Management Solution
- Open MMC certificates console
- Under "Personal", "Certificates" Double click the created signing certificate, go to details tab, scroll down to the thumbprint, copy the Thumbprint.
- Under "Personal", "Certificates" Double click the created encryption certificate, go to details tab, scroll down to the thumbprint, copy the Thumbprint.
Adding the certificated to payloads.
- Open Symantec console Home-> Mobile management-> Device Management-> Configuration Editor, click on "Credentials", on the right pane click the STAR, select Certificate, and choose the certificates exported earlier (CA.crt). Type a description. then save.
- Perform the same for (encrypt.pfx & sign.crt) NB. For (encrypt.pfx) use the same passphrase set during the export.
Mobile management user guide 7.2 P.54
1. In the Symantec Management Console, click Home > Mobile Management.
2. In the left pane, expand Settings and click Mobile Management Server settings.
3. In the Mobile Management Server Settings pane, click Profile Security.
4. Enter one or more of any of the following settings:
■ Profile Signing CertThumbprint - The thumbprint of the certificate that is used for signing the Mobile Management server personal store.
Configuring Mobile Management
Configuring profile security settings
■ Profile Encryption Cert Thumbprint - The thumbprint of the certificate that is used for encryption on the Mobile Management server personal store.
■ Device Decryption Cert Config - The credential payload that contains a certificate that is placed on devices for decryption.
■ Device Signing Validation Cert Config - The credential payload that contains a certificate that is placed on devices to validate signing.
■ Device Signing/Encryption Root Cert Config - The credential payload that contains a root certificate that is placed on devices to complete the certificate chain for the decryption and signing validation certificates.
5. Click Save changes.
Now Signing and Encryption is configured, next step is:
- Open the “Mobile Configuration Policies”, from Symantec console, Manage > Policies > Mobile Configuration Policies.
- Tick (Sign configuration profile to device ) and (Encrypt configuration profile to device )