Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

iOS Profile Security: How to Sign and Encrypt iOS Configuration Profiles Using OpenSSL

Created: 09 Aug 2012 • Updated: 07 Nov 2012
Language Translations
Mina Gerges's picture
+12 12 Votes
Login to vote

Creating 1 certificate for signing, 1 certificate for Encryption using OpenSSL :

NB. Assuming that the environment doesn’t contain Microsoft CA server. If you have Microsoft CA server please check this article: https://www-secure.symantec.com/connect/articles/ios-profile-security-how-sign-and-encrypt-ios-configuration-profiles

 

  • Please Note the files names & extensions while performing the below steps, mixing the files up might cause the implementation to fail.

Introduction

Signing Certificates ensure the integrity of configuration profiles by preventing tampering. They are created from a Root Certificate through a certificate authority.

Two Signing Certificates must be generated, one for iOS devices and one for any machine running Athena Services.

  • Signing Certificate with Private and Public Keys- placed on any machine running Athena Services, allowing machines to sign configuration profiles before they are sent to iOS devices.
  • Signing Certificate with Public Key- placed on all iOS devices, allowing devices to recognize and accept configuration profiles signed using the Signing Certificate with Private and Public Keys.
     

Encryption Certificates ensure that information inside of configuration profiles cannot be read by a third-party, and must be used in conjunction with Signing Certificates. Encryption Certificates are created from a Root Certificate through a certificate authority. Two Encryption Certificates must be generated, one for iOS devices and one for any machine running Athena Services.

  • Encryption Certificate with Private and Public Keys- placed on all iOS devices, allowing devices to decrypt and install configuration profiles encrypted using the Encryption Certificate with Public Key.
  • Encryption Certificate with Public Key- placed on any machine running Athena Services, allowing machines to encrypt configuration profiles before they are sent to iOS devices.

 


 

Get OpenSSL for windows from this link: http://downloads.sourceforge.net/gnuwin32/openssl-0.9.8h-1-setup.exe

After the installation create a folder called “mms” on C drive to store the created certificates.

Creating certificates:

Create a CA certificate

openssl genrsa -des3 -out c:\mms\ca.key 4096

openssl req -new -x509 -days 3650 -key c:\mms\ca.key -out c:\mms\ca.crt -config file -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf"

Converting the CA certificate to DER

openssl x509 -outform der -in c:\mms\ca.crt -out C:\mms\CA.der

Creating a signing certificate

openssl genrsa -des3 -out C:\mms\sign.key 4096

openssl req -new -key C:\mms\sign.key -out C:\mms\sign.csr -config file -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf"

openssl x509 -req -days 365 -in C:\mms\sign.csr -CA C:\mms\ca.crt -CAkey C:\mms\ca.key -set_serial 01 -out C:\mms\sign.crt

Creating an encryption certificate

openssl genrsa -des3 -out C:\mms\encrypt.key 4096

openssl req -new -key C:\mms\encrypt.key -out C:\mms\encrypt.csr -config file -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf"

openssl x509 -req -days 365 -in C:\mms\encrypt.csr -CA C:\mms\ca.crt -CAkey C:\mms\ca.key -set_serial 01 -out C:\mms\encrypt.crt

Export the signing Certificate for installing on MDM servers

openssl pkcs12 -export -out C:\mms\sign.pfx -inkey C:\mms\sign.key -in C:\mms\sign.crt

Export the encryption Certificate with its key for deployment on iOS
N.B. A passphrase has to be used for the device to accept the certificate.

openssl pkcs12 -export -out C:\mms\encrypt.p12 -inkey C:\mms\encrypt.key -in C:\mms\encrypt.crt

 

Importing Signing, encryption and CA certificates on all MDM servers

  • Open MMC certificates console
  • Under "Personal", "Certificates" ,  right click > All tasks > Import
  • Browse to import the following 3 Certificates (encrypt.crt,  Sign.pfx & ca.crt) NB. You need to enter the password set previously for “sign.pfx

Configuring Mobile Management Solution

  • Open MMC certificates console
  • Under "Personal", "Certificates" Double click the created signing certificate, go to details tab, scroll down to the thumbprint, copy the Thumbprint.
  • Under "Personal", "Certificates" Double click the created encryption certificate, go to details tab, scroll down to the thumbprint, copy the Thumbprint.

Adding the certificated to payloads.

  • Open Symantec console  Home-> Mobile management-> Device Management-> Configuration Editor, click on "Credentials", on the right pane click the STAR,  select Certificate, and choose the certificates exported earlier  (CA.crt). Type a description. then save.
  • Perform the same for (encrypt.pfx & sign.crt) NB. For (encrypt.pfx) use the same passphrase set during the export.

 

Mobile management user guide 7.2  P.54

1. In the Symantec Management Console, click Home > Mobile Management.

2. In the left pane, expand Settings and click Mobile Management Server settings.

3. In the Mobile Management Server Settings pane, click Profile Security.

4. Enter one or more of any of the following settings:

   ■ Profile Signing CertThumbprint - The thumbprint of the certificate that is used for signing the Mobile Management server personal store.

      Configuring Mobile Management

      Configuring profile security settings

   ■ Profile Encryption Cert Thumbprint - The thumbprint of the certificate that is used for encryption on the Mobile Management server personal store.

   ■ Device Decryption Cert Config - The credential payload that contains a certificate that is placed on devices for decryption.

   ■ Device Signing Validation Cert Config - The credential payload that contains a certificate that is placed on devices to validate signing.

   ■ Device Signing/Encryption Root Cert Config - The credential payload that contains a root certificate that is placed on devices to complete the certificate chain for the decryption and signing validation certificates.

5. Click Save changes.

Now Signing and Encryption is configured, next step is:

  • Open the “Mobile Configuration Policies”, from Symantec console, Manage > Policies > Mobile Configuration Policies.
  • Tick (Sign configuration profile to device ) and (Encrypt configuration profile to device )