SCEP Enrollment for iOS devices
474 views
Skip to first unread message
Thomas Engelmann
Jun 18, 2011, 4:00:28 AM6/18/11
to jscep Support
Hi!
I'm using the jSCEP servlet for deploying certificates to iOS devices
through the Over-The-Air-Enrollment process. That works fine, the
certificate is downloaded (I don't get an error message) and the
profile installation process proceeds.
When using jSCEP with a "standard" SCEP payload I receive the message
"The certificate could not be stored.". I'm not sure if the iOS device
wants another kind of certificate (both payloads are the same) when
not enrolling during the OTA process.
I'm creating a X509 v3 certificate for the iOS device.
Thanks
Thomas
I'm using the jSCEP servlet for deploying certificates to iOS devices
through the Over-The-Air-Enrollment process. That works fine, the
certificate is downloaded (I don't get an error message) and the
profile installation process proceeds.
When using jSCEP with a "standard" SCEP payload I receive the message
"The certificate could not be stored.". I'm not sure if the iOS device
wants another kind of certificate (both payloads are the same) when
not enrolling during the OTA process.
I'm creating a X509 v3 certificate for the iOS device.
Thanks
Thomas
David Grant
Jun 18, 2011, 5:39:09 AM6/18/11
to jscep-...@googlegroups.com
Hi Thomas,
Dave
I'm not very familiar with OTA, but is it feasible running under that process gives you additional permissions for writing to the certificate store?
Dave
Thomas Engelmann
Jun 20, 2011, 7:19:17 AM6/20/11
to jscep Support
Hi Dave,
afaik there are no special permissions needed.
The SCEP Profile enrollment is standardized within the iOS deployment
process. It doesn't matter (or shouln't matter??) if the SCEP is
called from within OTA or another payload like ActiveSync settings.
-- Thomas
afaik there are no special permissions needed.
The SCEP Profile enrollment is standardized within the iOS deployment
process. It doesn't matter (or shouln't matter??) if the SCEP is
called from within OTA or another payload like ActiveSync settings.
-- Thomas
David Grant
Jun 20, 2011, 8:33:16 AM6/20/11
to jscep-...@googlegroups.com
Hi Thomas,
Do you have any further information, e.g. logs that you can share? As it stands, there isn't a lot I can offer in terms of support.
Dave
Thomas Engelmann
Jun 20, 2011, 9:54:02 AM6/20/11
to jscep Support
Hi Dave,
I think I got an idea where the problem is. Maybe the process needs a
p12 file to be enrolled in none-OTA profiles.
Is there a way to do that (enroll a p12 and not a cer)?
Thanks,
Thomas
I think I got an idea where the problem is. Maybe the process needs a
p12 file to be enrolled in none-OTA profiles.
Is there a way to do that (enroll a p12 and not a cer)?
Thanks,
Thomas
David Grant
Jun 20, 2011, 9:57:42 AM6/20/11
to jscep-...@googlegroups.com
Hi Thomas,
SCEP describes enrolling a PKCS#10 CSR, and makes no mention of sending a PKCS#12 payload.
Dave
Thomas Engelmann
Jun 20, 2011, 11:18:42 AM6/20/11
to jscep Support
Hi Dave,
yes - I know the specs. But what would be the correct way to serve a
p12, just for testing?
-- René
yes - I know the specs. But what would be the correct way to serve a
p12, just for testing?
-- René
David Grant
Jun 20, 2011, 11:22:15 AM6/20/11
to jscep-...@googlegroups.com
Hi René,
I'm afraid I don't understand your question. Are you attempting to store the enrolled certificate in a PKCS#12 file?
Dave
Gordon...@wellsfargo.com
Jun 20, 2011, 11:33:31 AM6/20/11
to jscep-...@googlegroups.com
According to the SCEP RFC Draft only PKCS#7 and PKCS10 are supported.
I heard of some implementations where there is enrollment “on behalf of” the device where the web application that serves as a proxy between the devices and the CA’s is delivering the PKCS#12 to the deice.
IMO you would not want the private key to leave the device. If your intent is to strongly identify the device as a managed asset, you then do not want the private key to be portable, even if encrypted in PKCS#12 file.
Having an identity’s private key in escrow somewhere adds more operational overhead as you have to build more stringent controls around the system housing the key archive or point of private key origination on behalf of the device.
My though is, as a best practice you wouldn’t want the private key to leave the device. You want to rely on iPhone OTA configuration profiles to convey the PKCSReq to the SCEP RA, and the signed certificate response back to the device..
~Gordon
Thomas Engelmann
Jun 29, 2011, 12:45:34 PM6/29/11
to jscep Support
Hi!
Sorry for the "delay" - had a lot of work in the last days.
I think I've found the "solution" why the certificate couldn't be
installed. The iOS device seems only to allow one certificate per CA.
When I switched to create a second SCEP rollout for the same device
with another CA everything worked fine
Can somebody confirm this behavior? IMHO it's not intended that a SCEP
CA should only issue one certificate per device.
-- Thomas
On Jun 20, 5:33 pm, <Gordon.Yo...@wellsfargo.com> wrote:
> According to the SCEP RFC Draft only PKCS#7 and PKCS10 are supported.
>
> I heard of some implementations where there is enrollment “on behalf of” the device where the web application that serves as a proxy between the devices and the CA’s is delivering the PKCS#12 to the deice.
>
> IMO you would not want the private key to leave the device. If your intent is to strongly identify the device as a managed asset, you then do not want the private key to be portable, even if encrypted in PKCS#12 file.
> Having an identity’s private key in escrow somewhere adds more operational overhead as you have to build more stringent controls around the system housing the key archive or point of private key origination on behalf of the device.
>
> My though is, as a best practice you wouldn’t want the private key to leave the device. You want to rely on iPhone OTA configuration profiles to convey the PKCSReq to the SCEP RA, and the signed certificate response back to the device..
>
> ~Gordon
>
> From: jscep-...@googlegroups.com [mailto:jscep-...@googlegroups.com] On Behalf Of David Grant
> Sent: Monday, June 20, 2011 8:22 AM
> To: jscep-...@googlegroups.com
> Subject: Re: SCEP Enrollment for iOS devices
>
> Hi René,
>
> I'm afraid I don't understand your question. Are you attempting to store the enrolled certificate in a PKCS#12 file?
>
> Dave
Sorry for the "delay" - had a lot of work in the last days.
I think I've found the "solution" why the certificate couldn't be
installed. The iOS device seems only to allow one certificate per CA.
When I switched to create a second SCEP rollout for the same device
with another CA everything worked fine
Can somebody confirm this behavior? IMHO it's not intended that a SCEP
CA should only issue one certificate per device.
-- Thomas
On Jun 20, 5:33 pm, <Gordon.Yo...@wellsfargo.com> wrote:
> According to the SCEP RFC Draft only PKCS#7 and PKCS10 are supported.
>
> I heard of some implementations where there is enrollment “on behalf of” the device where the web application that serves as a proxy between the devices and the CA’s is delivering the PKCS#12 to the deice.
>
> IMO you would not want the private key to leave the device. If your intent is to strongly identify the device as a managed asset, you then do not want the private key to be portable, even if encrypted in PKCS#12 file.
> Having an identity’s private key in escrow somewhere adds more operational overhead as you have to build more stringent controls around the system housing the key archive or point of private key origination on behalf of the device.
>
> My though is, as a best practice you wouldn’t want the private key to leave the device. You want to rely on iPhone OTA configuration profiles to convey the PKCSReq to the SCEP RA, and the signed certificate response back to the device..
>
> ~Gordon
>
> From: jscep-...@googlegroups.com [mailto:jscep-...@googlegroups.com] On Behalf Of David Grant
> Sent: Monday, June 20, 2011 8:22 AM
> To: jscep-...@googlegroups.com
> Subject: Re: SCEP Enrollment for iOS devices
>
> Hi René,
>
> I'm afraid I don't understand your question. Are you attempting to store the enrolled certificate in a PKCS#12 file?
>
> Dave
> On 20 June 2011 16:18, Thomas Engelmann <r...@gmx.at<mailto:r...@gmx.at>> wrote:
> Hi Dave,
>
> yes - I know the specs. But what would be the correct way to serve a
> p12, just for testing?
>
> -- René
>
> Hi Dave,
>
> yes - I know the specs. But what would be the correct way to serve a
> p12, just for testing?
>
> -- René
>
> On Jun 20, 3:57 pm, David Grant <da...@grant.org.uk<mailto:da...@grant.org.uk>> wrote:
>
>
>
> > Hi Thomas,
>
> > SCEP describes enrolling a PKCS#10 CSR, and makes no mention of sending a
> > PKCS#12 payload.
>
> > Dave
>
>
>
>
> > Hi Thomas,
>
> > SCEP describes enrolling a PKCS#10 CSR, and makes no mention of sending a
> > PKCS#12 payload.
>
> > Dave
>
> > On 20 June 2011 14:54, Thomas Engelmann <r...@gmx.at<mailto:r...@gmx.at>> wrote:
>
> > > Hi Dave,
>
> > > I think I got an idea where the problem is. Maybe the process needs a
> > > p12 file to be enrolled in none-OTA profiles.
>
> > > Is there a way to do that (enroll a p12 and not a cer)?
>
> > > Thanks,
> > > Thomas
>
>
> > > Hi Dave,
>
> > > I think I got an idea where the problem is. Maybe the process needs a
> > > p12 file to be enrolled in none-OTA profiles.
>
> > > Is there a way to do that (enroll a p12 and not a cer)?
>
> > > Thanks,
> > > Thomas
>
> > > On Jun 20, 2:33 pm, David Grant <da...@grant.org.uk<mailto:da...@grant.org.uk>> wrote:
> > > > Hi Thomas,
>
> > > > Do you have any further information, e.g. logs that you can share? As it
> > > > stands, there isn't a lot I can offer in terms of support.
>
> > > > Dave
>
> > > > Hi Thomas,
>
> > > > Do you have any further information, e.g. logs that you can share? As it
> > > > stands, there isn't a lot I can offer in terms of support.
>
> > > > Dave
>
Reply all
Reply to author
Forward
0 new messages