Help

PKI and SCEP enabled CA

mbarlak
New Contributor

Posted on ‎09-27-2012 07:33 AM

We are trying to get our MDM profiles to show as verified when doing OTA MDM enrollments. Is there a way to use the built in JSS SCEP but with a trusted signing certificate or has anyone had any luck on setting up a standalone SCEP CA?

Thanks

-Matt

0 Kudos
3 REPLIES 3

spotmac
New Contributor III

Posted on ‎09-20-2013 05:38 AM

yes it is possibleI....

in the JSS:
Global Management - > PKI -> Download CA Certificate

Convert to DER: Open Terminal->openssl x509 -outform der -in certificate.pem -out certificate.cer

Create a now configuration profil with the iphone configuration utility.
Add the File certificate.cer to the Certificates and export the profile without sign as MDMRootCertificate-unsigned.mobileconfig.

Copy the file MDMRootCertificate-unsigned.mobileconfig to the Tomcat Root, in my case its the /usr/local/jss/tomcat/webaps/ROOT/

openssl smime -sign -in MDMRootCertificate -out MDMRootCertificate-unsigned.mobileconfig -signer /etc/ssl/trusted-certificate.cer -inkey /etc/ssl/trusted-certificate.key -certfile /etc/ssl/SSL_SecondaryCA.crt -outform der -nodetach

external image link

Best
Michael

0 Kudos

WiseByte
New Contributor II

Posted on ‎03-16-2015 10:44 AM

Hi Matt, Have you resolved this? We are trying to do the same thing. We have a 3rd party cert for Tomcat, but would like users to enroll their devices without being warned that the JSS Built-in Certificate Authority Not Verified.

I am not successful at doing Michael's last step:

openssl smime -sign -in MDMRootCertificate -out MDMRootCertificate-unsigned.mobileconfig -signer /etc/ssl/trusted-certificate.cer -inkey /etc/ssl/trusted-certificate.key -certfile /etc/ssl/SSL_SecondaryCA.crt -outform der -nodetach

Michael, if you can update these instructions for a Windows 2012R2 server that would be super awesome.

Please let me know. Thanks guys!

0 Kudos

nfield
New Contributor

Posted on ‎03-27-2015 10:34 AM

Thanks Michael, is there anyone who has done this on a Windows Server 2012 R2 box? The instructions sound good until the final openssl smime . . . step. Those don't exactly follow on a Windows box.

0 Kudos