Original CA Circuit Summary: Say you have a security certificate stating that you are example.com. But no one will believe you. This way you get signed by someone you trust (Verisign in your example above). Now I believe that you are example.com, because Verisign guarantees you by signing a certificate.
Verisign does not usually sign it with its primary βrootβ certificate. Instead, they sign it with a second-tier CA, and the second-tier CA will be signed with a root certificate that I trust.
What the certificate chain is: you (example.com) are signed by a second-tier CA, which is signed by the root CA.
So, when you give me your certificate, you also need to provide the whole chain so that I can check it to the very top and see if I really trust you.
So, the following command accepts your .mobileconfig file and signs it with your certificate. And I trust your signature as long as you provide the whole chain.
Files:
* company.mobileconfig <- your .mobileconfig file that you created * signed.mobileconfig <- a signed file that is created after the command
* server.crt <- your certificate that you received from a trusted CA
* server.key <- your private key file that comes with the above certificate (keep safe)
* cert-chain.crt <- any certificates are in the chain to the top-level CA that people trust
Command:
openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile cert-chain.crt -outform der -nodetach