Introduction to the

This certificate is the one required by MDM Server and APNs to push messages. Of course, it is completely different from the APP push certificate, although it has similar functions.

MDM is divided into Vendor and Customer roles, namely, service provider and user. If you have an enterprise developer account, that’s right, the $299 one, you can be either Vendor or Customer. As a Vendor, you can issue a certificate for signing Customer’s certificate request file.

If you only as a Customer is not $299 account, can only be issued by a Vendor for you. The cer certificate and signature plist_encoded file, and then submit to identity.apple.com/pushcert/, if the file is not correct will be prompted to format error, If correct, a certificate mdM.pem will be generated for push.

Perform the following operations as a Vendor.

1. Enable the MDM service

The default enterprise developer account does not have the MDM service, so you need to apply for the MDM service and become a Vendor. Enter your enterprise account and password to log in, and you are prompted to fill in something to apply for the service. If you fill it out and submit it, then it’s just silly waiting. At that time, I did not respond a week after submitting, so I simply called the human customer service, which was done in a minute. If the certificate is successfully created, an email notification will be sent, and the MDM CSR option will be displayed during certificate creation. As follows:

2. Generate the MDM certificate

Being a vendor starts by generating a signature. Certificate of cer, the specific steps are as follows

  • Open the key string generated mdm_vendor certSigningRequest

  • Export secret key mdm_vendor.p12 Remember the export password is used for personal signature

  • Log in to the Developer Center to create an MDM CSR certificate, and download the certificate mdM. cer. This certificate is used to sign the. CSR certificate file generated by customer.

#### as a customer

  • A customer. CSR file is generated in the terminal

      openssl genrsa -des3 -out customerPrivateKey.pem 2048
      openssl req -new -key customerPrivateKey.pem -out customer.csr
    Copy the code

    Or generate it from a keystring, save it with the.csr suffix, and export the secret key in.p12 format and remember the password

  • Submit the customer. CSR file to vendor for signature processing.

rightcustomer.csrThe signature

There are two common methods on the web for signing customer. CSR files: a Python script and a Java version of Softthinker, where Python scripts are used.

Python script source code, in use process may be due to the Mac in Python version has a problem, unable to download the required AppleIncRootCertificate. The cer and AppleWWDRCA cer the two certificate provided by the official. So I changed the script, directly download the certificate file to the local.

As required, convert mdm_vendor.p12 to mdm_vendor.key:

openssl pkcs12 -in mdm_vendor.p12 -nocerts -out mdm_vendor.key
Copy the code

Then do the following on the terminal

python mdm_vendor_sign.py 
--key mdm_vendor.key  
--csr customer.csr 
--mdm mdm.cer 
--root AppleIncRootCertificate.cer 
--WWDR AppleWWDRCA.cer 
Copy the code

A “plist_encoded” signature file is displayed in the directory. The execution result is shown as follows:

— — —

Screenshot of my directory file:

The Python file I used for signing has been modified from the source file for ease of operation.

To submit identity.apple.com/pushcert/ generated plist_encoded file, if there is something wrong with the file will be prompted to invalid file, if all goes well will be generated in the end we need MDM_Certificate. Pem certificate, This certificate is required for communication between server and APNs in the future.

3. Verify the validity of mdM_certificate. pem certificate and convert the certificate format

Mdm_certificate. pem is obtained above, so is this correct? We can verify this in the terminal:

openssl s_client -connect gateway.push.apple.com:2195 -cert MDM_Certificate.pem -key customerPrivateKey.pem -debug -showcerts -status

If an error is displayed, or the connection is closed directly, there is a problem with the certificate. If you are waiting for input all the time, enter any, exit, the certificate is valid.

And so it goes with almost every article on the Internet

Double-click mdm_certificate. pem installation to view the certificate information as shown

Where user ID: com.apple.mgmt.external.* this is very important, in the configuration of the. Mobileconfig file will be used.

And then it’s gone, and some people say it’s just going to be.p12. But why does my installation not export p12 format at all? We are the Java backend, so we need p12 format, here we need to further format conversion.

In the terminal:

openssl pkcs12 -export -in MDM_Certificate.pem -out MDM_Certificate.p12 -inkey customerPrivateKey.pem

4. The certificate for communicating with APNs has been obtainedMDM_Certificate.p12.

After handing over the certificate and password to our back-end personnel, is the certificate completely different from the certificate pushed by APP? I feel like it’s two different things.