All geek questions in one place

Profiles set by MDM appear as "Unverified" after upgrading to iOS 6

The profiles set by the MDM service are displayed as "Unverified" after upgrading the device to iOS 6. These profiles were signed by the InCommon certificate issued by AddTrust before being clicked on the devices. Before the upgrade, they showed up as Verified. Any ideas that might trigger this?

+4
source share
5 answers

I had the same problem, so this is probably an error in the iOS profile system, because the same SSL certificate trusts the browser. Note. Our certificate is of type * .host.org.

+3
source

It may be an untrusted CA in the certificate chain from the certificate provider from which you purchased it. It seems that some CAs are unreliable or missing in iOS6. I had the same problem and included the entire certificate chain in our certificate subscription package and the problem was resolved. Invite you to open a support application with your certificate provider to find out if this problem is known or to dig in to find out if you can find a list of trusted certificate authorities used in iOS6 - I could not find them. Syncing your device with iTunes can also update the CA list, but this time it didn't help me.

+2
source

I have exactly the same problem as you. My chain is GeoTrust β†’ RapidSSL β†’ MyCert. I have included the whole chain in my .crt, but it still shows "not verified" when I try to set the configuration profile.

I do not know how to insert all the way.

I use the openssl command to sign my file:

openssl smime -sign -signer # {crt_path} -inkey # {private_key_path} -nodetach -outform der -in # {file_to_sign_path} -out # {file_signed_path}

My crt_path is a .crt file, including three certificates.

EDIT I have encountered a problem with my openssl command. My complete chain was at # {crt_path}, but was not used by the command. I added * -certfile # {crt_path} * and everything works fine!

+2
source

By including the intermediate certificate in the pkcs7_sign call (php openssl_pkcs7_sign () in my case), the problem was resolved.

+2
source

Yes! Adding the entire path (-root) did the trick.

Verify that the signature generated by MDM SW actually contains the path. Since he was not needed before ...

+1
source

Source: https://habr.com/ru/post/1435150/

More articles:


All Articles