MDM Certificate request process (vendor and customer)

The whole process is divided into two parts: Vendor,customer.

First, Vendor

1. Become an MDM Vendor

1) First you need to have an Apple Enterprise account ($299/year).

2) Interview https://developer.apple.com/contact/submit.php. Here you can apply to become a Mdmvendor:

Apple's promise is that it will be processed within one business day, and the processing would send a notification email to your mailbox and provide some MDM-related documentation links in the email.

The actual time may be slightly longer than this, take the author for example. is to receive an email reply from an Asian Apple after a half-day.

Assuming the request is allowed, an "MDM CSR" option is available in the portal's Add Certificate.

2. Create a certificate request

Open the keychain. Create a CSR by clicking on "Keychain Access, certificate Assistant, requesting a certificate from a certification authority." Store this CSR to disk. Remember that the "Common name" field should be the name of the private key. When you create a CRS, a private key is created at the same time, and the private key name (Common name) is displayed in the keychain.

3. Export the private key

In the keychain, select the private key when creating the CSR and export it as a VENDOR.P12 file.

When you export, you are asked to set the private key password. Please remember this password.

Note that if you use mdm_vendor_sign.py to sign a customer's CSR, you need to export the private key to the PEM format (. key file):

OpenSSL pkcs12-in vendor.p12-nocerts-out Vendor.key

You will be asked to enter 3 times password:vendor.p12 password, vendor.key password, vendor.key password.

4. Submit CSR

Login to Portal, enter Certificates->all, click Add Certificate ("+" button) and select "MDM CSR" under production.

Point Continue->continue. Upload the CSR created in the second step, then click Generate.

Click Download and you will get a mdm.cer.

5, Certificate conversion: CER->PEM.

Download the Apple WWDR certificate and Apple root certificate:

http://www.apple.com/certificateauthority/

Convert the MDM.CER,WWCR certificate and the Apple root certificate to PEM format:

OpenSSL x509-inform der-in mdm.cer-out Mdm.pem

OpenSSL x509-inform der-in applewwdrca.cer-out Intermediate.pem

OpenSSL x509-inform der-in appleincrootcertificate.cer-out Root.pem

Note: If you use the mdm_vendor_sign.py script to sign the vendor plist file, this step can be omitted.

Second, MDM Customer

1. Create a CSR

Use keychain to create CSR, remember that key pairs often use names (easy to export).

Export the CSR. File name: MDMCUSTOMER.CSR.

2. Conversion Csr->cer

OpenSSL req-inform pem-outform der-in customer.csr-out customer.der

Attention. Suppose you use the mdm_vendor_sign.py script to omit this step.

3. Get the encoded plist file from vendor

Customer submits MDMCUSTOMER.CSR or MDMCUSTOMER.CSR to vender.

The rest of the matter was carried out by vendor. As vendor. The mdm_vendor_sign.py Script command (mdmvendorsign-master.zip) or Softthink Java code (SOFTHINKER.ZIP) is required to submit the Customer.der to customer To sign.

These two tools are:

Https://github.com/grinich/mdmvendorsign http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning/ Softhinker.zip?attredirects=0&d=1

Let's take mdm_vendor_sign.py as an example.

To run the command:

Python mdm_vendor_sign.py--csr mdmcustomer.csr--key ' Vendor.key '--mdm mdm.cer

The result of the run will generate a plist_encoded file.

Note that the mdm_vendor_sign.py script requires only 3 files: customer's CSR, MDM private key, MDM certificate. It does not require a WWDR certificate and an Apple root certificate, nor does it require a complex certificate format conversion. The download of the WWDR and the Apple root certificate and the PEM format conversion are initiated by the script itself. So it's much easier to sign than to use Java code.

4, Upload plist

Sign in to https://identity.apple.com/pushcert/with your Apple ID. Click "Create acertificate" to upload the plist file.

Note that you are signing with Java code. Do not upload plist.xml. Instead, upload plist_encoded.

After uploading, a APNS certificate is generated, and a. pem file is downloaded (renamed to PUSH_CERT.PEM for ease of use).

Double-click the. pem file to install the certificate into the keychain. Open the keychain and see that the certificate is named "Apsp:<uuid>". For example, as seen in the.

MDM Certificate request process (vendor and customer)