Intranet ADHOC download solution for IOS 7.1

Recently, Apple released IOS7.1. It is said that every time Apple is released, it affects developers. This time, we have a little bit of trouble.

To put it bluntly, the reason why AdHoc cannot be downloaded in ios7.1 is that ios7.1 does not accept manifest without ssl authentication. This means that the plist file path must be changed from http to https:

Itms-services ://? Action = download-manifest & url = http://domain.com/app.plist
==>/// Change
Itms-services ://? Action = download-manifest & url = https://domain.com/app.plist

It seems to be a little simple change, but if you build apache on the LAN like me and write some php code, you can automatically upload the package to the tester to download the test, it will be a little troublesome. Some people on the internet use dropbox. this solution is indeed feasible, but we are in an Intranet environment and dropbox cannot be accessed. We can only find a way to allow containers to support https.

Some people may say that I have tried a self-signed certificate to support https, but it still does not work. This can also be solved. Please refer to the end of the article.
Apache2 supports https

I use the CentOS6 system and Apache2 server. If you use different environments, you can also refer to it. At least you can understand the solution.
1. First, you need apache to support mod_ssl. If not, install it easily.

Yum install mod_ssl

For other systems, follow the corresponding installation scheme.
2. generate self-Signed CA certificates and server certificates

2.1 use openssl to select rsa asymmetric algorithm and des3 symmetric encryption algorithm to create a CA certificate:

Openssl genrsa-des3-out my-ca.key 2048

The above will generate a 2048-bit key, stored in the my-ca.key file, this file will require you to enter a password, this password will be used later in this file.

2.2 then sign the certificate using the x509 Standard

Openssl req-new-x509-days 3650-key my-ca.key-out my-ca.crt

The above step generates a CA certificate file my-ca.crt valid for 10 years, this process will let you fill in some basic information, such as the country city, company name, website name and so on, because it is self signed, just fill it out.

2.3 then we can use the following command to view the certificate (not to view it ):

Openssl x509-in my-ca.crt-text-noout

2.4 now that you have a CA certificate, you can use it to issue an ssl certificate to our website. Like creating a CA certificate, we need to first generate a key pair for the server.

Openssl genrsa-des3-out mars-server.key 2048

2.5 generate a csr Certificate file based on the key mars-server.key

Openssl req-new-key mars-server.key-out mars-server.csr

When executing the preceding command, enter basic information. Note that the value of Common Name must be the same as that of your domain Name. Otherwise, the domain Name cannot be verified by the client browser. Here I fill in the LAN ip address. If 10.21.122.22, if the ip address of your LAN host changes, you need to issue a new certificate. Therefore, we recommend that you set your host to a fixed ip address directly in routing or switching.

2.6 Use the CA certificate to sign the server certificate:

Openssl x509-req-in mars-server.csr-out mars-server.crt-sha1-CA my-ca.crt-CAkey my-ca.key-CAcreateserial-days 3650

By now, we have made all the certificates we need. What needs to be done below is to deploy it to Apache.
3. Deploy to Apache

3.1 create a directory to put certificate files, such as put under/etc/apache2/ssl, including 3 files, are: my-ca.crtmars-server.crt mars-server.key.

3.2 In the process of generating the mars-server.key, may set a password for this file, if you directly deploy, then in the future to start apache to enter this password, however, apache is usually automatically started when we start the system. It is too troublesome to start it manually. You can convert this file to save the trouble of entering the password:

Cd/etc/apache2/ssl
Openssl rsa-in mars-server.key-out mars-server.key.insecure

3.3 modify the ssl configuration of Apache. For example, place centOS in/etc/httpd/conf. d/ssl. conf and change the configuration of the following four options to the generated file.

SSLEngine On
SSLCertificateFile/etc/apache2/ssl/mars-server.crt.
SSLCertificateKeyFile/etc/apache2/ssl/mars-server.key.insecure.
SSLCACertificateFile/etc/apache2/ssl/my-ca.crt.

3.4 restart the apache server

Apachectl stop
Apachectl start

Now, you can use the self-Signed https service. Press https: // localhost/in the browser to see the browser red. After adding the certificate trust, you can continue to access the service.
Allow users to install their own crt certificates

This is not the end of the process. Here, the CA certificate was created by ourselves. We didn't have our root certificate on our mobile phone. We still cannot access it on mobile safari. How can we solve this problem. The solution is simple, that is, let the user download and install the certificate first.

On the server, copy the CA certificate my-ca.crt file to a container in a accessible path, such as under the root directory of the website, add a download certificate link on your home page, you can download the certificate and install it on your mobile phone. Add html tags on the homepage

1



Install the certificate before downloading it.

Click OK here.