We are trying to get our MDM profiles to show as verified when doing OTA MDM enrollments. Is there a way to use the built in JSS SCEP but with a trusted signing certificate or has anyone had any luck on setting up a standalone SCEP CA?
Thanks
-Matt
Question
PKI and SCEP enabled CA
+3
+9yes it is possibleI....
in the JSS:
Global Management - > PKI -> Download CA Certificate
Convert to DER: Open Terminal->openssl x509 -outform der -in certificate.pem -out certificate.cer
Create a now configuration profil with the iphone configuration utility.
Add the File certificate.cer to the Certificates and export the profile without sign as MDMRootCertificate-unsigned.mobileconfig.
Copy the file MDMRootCertificate-unsigned.mobileconfig to the Tomcat Root, in my case its the /usr/local/jss/tomcat/webaps/ROOT/
openssl smime -sign -in MDMRootCertificate -out MDMRootCertificate-unsigned.mobileconfig -signer /etc/ssl/trusted-certificate.cer -inkey /etc/ssl/trusted-certificate.key -certfile /etc/ssl/SSL_SecondaryCA.crt -outform der -nodetach
Best
Michael
+9Hi Matt, Have you resolved this? We are trying to do the same thing. We have a 3rd party cert for Tomcat, but would like users to enroll their devices without being warned that the JSS Built-in Certificate Authority Not Verified.
I am not successful at doing Michael's last step:
openssl smime -sign -in MDMRootCertificate -out MDMRootCertificate-unsigned.mobileconfig -signer /etc/ssl/trusted-certificate.cer -inkey /etc/ssl/trusted-certificate.key -certfile /etc/ssl/SSL_SecondaryCA.crt -outform der -nodetach
Michael, if you can update these instructions for a Windows 2012R2 server that would be super awesome.
Please let me know. Thanks guys!
+1Thanks Michael, is there anyone who has done this on a Windows Server 2012 R2 box? The instructions sound good until the final openssl smime . . . step. Those don't exactly follow on a Windows box.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.