Readme file questions

[sebo]

mdm.cer

In 5. in step openssl x509 -in cert.pem -inform PEM -out mdm.cer -outform DES we export the mdm.cer. Isn't that mdm.cer file exactly the same as the mdmvendor.cer file that we received from Apple in step 2? At least the md5sum is identical in my case.

PushCert.pem

Whats the difference between the push certificate that we get from apple in step 7 and the push certificate we extract again from the mdm.p12 in step 8? Aren't those files also the same?

Thanks for letting me know.

[MaximilianoRios]

Hi!
Check in the step 5 again. You're not using the CER, you have to extract the cert from the private key and other steps to create a cert that is indeed connected to the Apple Certificate but it's not the same. The steps mention you should call the Apple Certificate mdmvendor.cer

About the push certificate, you're extracting a P12 version of the certificate. Yes, it's the same certificate in a different format. I suggest you to read if you're interested the different formats (p12, pfx, etc).

[sebo]

Hi,

In step 3 we are adding the apple generated mdm vendor to the keychain so that we can export the private key that is used in the Certificate Signing Request request in step 1 to a p12 file. When we right-click on the private key which is now linked to the certificate we are not only extracting the private key but in fact putting the private key and the certificate in the private.p12 file. In step 5 with the command

openssl pkcs12 -in private.p12 -nocerts -out key.pem
openssl rsa -in key.pem out private.key

we are exporting the private key that was used in the Certificate Signing Request request and with

openssl pkcs12 -in private.p12 -clcerts -nokeys -out cert.pem
openssl x509 -in cert.pem -inform PEM -out mdm.cer -outform DES

we are exporting the certificate that we imported earlier on to the keychain. I don't see how the certificates are different. Am I missing something?

About the push certificate. Its in pem format in the beginning and in pem format in the end. What I didn't saw is that the private key that is used in the Certificate Signing Request
is appended. Is it somehow possible to define which private key is used with that Certificate Signing Request or that a new private key is generated? Can't the Certificate Signing Request also not be generated through the openssl tool. The Keychain seems to do some "magic" stuff that I would like to unterstand also :)

Sebo

[sebo]

Step 1 till 8 would then actually look like this. I also figured out how to not use the keychain assistant tool:

create mdm vendor private key

openssl genrsa -out mdmVendorPrivateKey.key 2048

create csr for apple

common name should be your apple developer email address

openssl req -new -sha256 -key mdmVendorPrivateKey.key -out mdmVendor.csr

upload to mdm csr and download mdm

Apple's Certificates, Identifiers & Profiles page

create mdm push private key

openssl genrsa -out mdmPushPrivateKey.key 2048

create csr for push

common name should be your email address

openssl req -new -sha256 -key mdmPushPrivateKey.key -out mdmPush.csr

sign csr with vendor certificate

python mdm_vendor_sign.py --key mdmVendorPrivateKey.key --csr mdmPush.csr --mdm mdmVendor.cer --out vendorSignedMdmPush.csr

get push certificate with signed csr

https://identity.apple.com/pushcert/

save it as mdmPush.pem

Copy down the User ID froim the following which should look like com.apple.mgmt.External.hexstuffhere..

openssl x509 -noout -subject -in mdmPush.pem

concate the files to be used in apn server for push

cat mdmPush.pem <(echo) <(echo) mdmPushPrivateKey.key > mdmPushIncludesPrivatekey.pem