Insert pkcs12 to mobileconfig file
Insert pkcs12 to mobileconfig file
How do I insert a .p12
file in a .mobileconfig
file ?
.p12
.mobileconfig
Apple configuration utility currently performs some unknown transformation/encoding on the .p12 file while inserting it in .mobileconfig
(It is just an XML file).
.mobileconfig
I want to create this .mobileconfig file without using the Apple iPhone configuration utility by directly creating an XML file.
Thanks
5 Answers
5
One way to accomplish this is base64 encoding the PKCS#12 file. This, for instance, works with PHP
openssl_pkcs12_export( $strCertPEM, $strCertPkcs12, $resKey, $strCertPW );
$arrCertBase64 = str_split( base64_encode($strCertPkcs12), 52);
$xmlUserCertPlist = plistVar('PayloadContent',$arrCertBase64,'data');
function plistVar($key,$var,$type)
{
//...snip...
if ( $type == 'data' ) return plistData($key,$var);
//...snip...
}
function plistData($key,$arr)
{
//...snip...
$xml = "<key>". $key ."</key>n";
$xml .= "<data>n";
foreach ($arr as $val) { $xml .= $val."n"; }
$xml .= "</data>n";
return $xml;
}
If you want to insert the .p12 file inside the iphone configuration file you just have to select the credential tab on the iphone configuration utility of the selected configuration file. When you it will to attach on the .mobileConfig File.
I have configuration file created using iphone configuration utility.Following will get changed when you attached the .p12 file into your configuration file.
The following dictionary will get attached to the xml file after the creation of the .mobileconfig file
Password
password_value
PayloadCertificateFileName
certificate_name.p12
PayloadContent
//converted data from the certificate
</data>
<key>PayloadDescription</key>
<string>Provides device authentication (certificate or identity).</string>
<key>PayloadDisplayName</key>
<string>Certificate_name.p12</string>
<key>PayloadIdentifier</key>
<string>company.Identifier</string>
<key>PayloadOrganization</key>
<string>Company name</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>UUId of the device</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
@ElisonNiven Check the edited code may it will help you.
– Anil Kothari
Mar 1 '12 at 12:32
Yes, I know about the other fields, How do I get the value for <key> PayloadContent? It is not simple base64 of the pkcs12 file.
– Elison Niven
Mar 1 '12 at 13:32
In addition to steps mentioned by Anil, read binary data from pkcs12 certificate and then
encode it using base64 encoding. You can put that data in the xml mentioned by Anil.
<data>base64 encoded data
</data>
What do you exactly mean by read binary data from pkcs12 file?
– Elison Niven
Mar 1 '12 at 13:33
I assumed that you are using some code to generate the xml file. So I mean read pkcs12 file programmatically and then base64 encode it before putting it into xml.
– Nilesh
Mar 1 '12 at 13:35
Yes, But the output is not the same as being generated by ACPU
– Elison Niven
Mar 1 '12 at 14:02
Can you provide some more details about the issue? Are you sure there is no issue with your encoding?
– Nilesh
Mar 2 '12 at 5:18
I am trying to create a VPN profile that contains 2 certificates, 1 for the CA and 1 for the user. I created this profile using ACPU. The CA certificate PayloadContent in the profile created by ACPU is equal to a simple
cat ca.crt
. I am not able to get how ACPU puts the PayloadContent for the user's certificate. I did base64 encoding using openssl but it does not match. I am pretty sure there are no issues with my encoding.– Elison Niven
Mar 2 '12 at 6:23
cat ca.crt
I happen to be working through this right now in my current position, deploying scripts to generate n.mobileconfig files for Mac OS workstations.
It helps to reference the official Apple documentation on 802.1X Authentcation, as they do provide an XML template and notes about it.
Also, referenced in many other places is mactls.sh. I used that template to generate my mobileconfigs.
To get the base64 content of the pkcs12 file, cat the existing pkcs12 file into openssl:
B64PK12=$(cat ${PK12} | openssl enc -base64);
Use that variable to interpolate into your XML, provided you are using templates for your mobileconfig files.
I was including both RADIUS CA and the decrypted PKCS12 file contents initially, with only the CA being imported, despite it not being base64 encoded. After base64 encoding both the CA and the pkcs12 contents, both were then added to the specified Keychain.
Hope this helps.
You can use an apple script for creating a mobileconfig with the p12 inside. I've been able to do it and it works great. I'm afraid I can't share the code, but I can say it works.
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Oops, Sorry I didn't ask my question properly. What I actually want to do is create this .mobileconfig file without using the Apple iPhone configuration utility.
– Elison Niven
Mar 1 '12 at 11:42