After signing .mobileconfig profile it shows as "Unverified" - "The ceritifcate was signed by an unknown authority"

Question

I'm trying to sign a configuration profile (CardDav) with my SSL certificate issued by networksolutions.com

NetworkSolutions.com should be one of the providers that's in iOS/OSX trusted ceritifcates according to this

I've also seen other configuration profiles signed by NetworkSolutions that were "Verified" just fine.

This is the Ruby code I use to sign the profile

ssl_key_str = File.read(Rails.root.join("config/ssl/server.key"))
ssl_key = OpenSSL::PKey::RSA.new(ssl_key_str)
ssl_cert_str = File.read(Rails.root.join("config/ssl/server.crt"))
ssl_cert = OpenSSL::X509::Certificate.new(ssl_cert_str)
signed_profile = OpenSSL::PKCS7.sign(ssl_cert, ssl_key, profile, [], OpenSSL::PKCS7::BINARY)

Also tried to sign with openssl:

openssl smime -sign -in apple_sync_profile-unsigned.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile server.crt -outform der -nodetach    

Still getting "Unverified" Digging deeper by trying to open the mobileconfig file on my Mac, it shows "this certificate was signed by an unknown authority"

I tried to compare with this other profile that I downloaded and shows up as Verified but could not come up with any meanigful difference.

Any recommendations? Is there any tool I could use to sign profile other than openssl which might be able to provide more insight?

Answer 1

How to Sign and verify a .mobileconfig file in apple

1. Export certificate from the key chain

   keychain access --> Certifcates(LeftPanel)--> right click the particular certificate and export the certificate. convert .p12 file to PEM file (converting use this link www.sslshopper.com/ssl-converter.html)

   Eg: InnovCertificates.p12 to InnovCertificates.pem

2. Download Apple Root Certificate and Apple Intermediate Certificate

   (For my .mobileconfig file verification i am used Apple Inc. Root Certificate(Apple Root Certificate) and Application Integration Certificate (Apple Intermediate Certificate) certificates. you can also use these certificates or other certificates that have in the apple certificates www.apple.com/certificateauthority/)

   The download file is combination of certificate and keys . (Read the certificate in Terminal commands are following link info.ssl.com/article.aspx?id=12149) From this certificate file we need extract certificate.

   extract certificate from Apple Root Certificate. Then extract certificate from Apple Intermediate Certificate
   
   openssl x509 -inform DER -outform PEM -in AppleIncRootCertificate.cer -out root.crt.pem
   openssl x509 -inform DER -outform PEM -in AppleAAICA.cer -out Intermediate.crt.pem
   
   open the two extracted file in text editor,
   copy and paste the Intermediate.crt.pem to beginning of the root.crt.pem and save .then your root.crt.pem file is combination of two certificate.
   

3. Sign and verify the .mobileconfig file

   Once you have all the files listed above, you will run a command like the following:
   
   openssl smime -sign -in Example.mobileconfig -out SignedVerifyExample.mobileconfig -signer InnovCertificates.pem -certfile root.crt.pem -outform der -nodetach      
   

   The result .mobileconfig file is signed and verified.

Use full links:

1. renren.io/questions/637349/ios-mobileconfig-walkarounds

2. developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/smime.1ssl.html#//apple_ref/doc/man/1/smime

3. www.apple.com/certificateauthority/

4. www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html

5. info.ssl.com/article.aspx?id=12149

6. www.sslshopper.com/ssl-converter.html

7. wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File

8. stackoverflow.com/questions/9277426/ios-mobileconfig-walkarounds

9. stackoverflow.com/questions/991758/how-to-get-an-openssl-pem-file-from-key-and-crt-files

10. discussions.apple.com/thread/2363234

Answer 2

My certificate was signed by a sub-CA and did not contain the full certificate chain. In order for the signing to be complete, you must provide a full server.crt certificate which contains the full chain of certificates.

Download the sub-certificates from your certificate provider (e.g: Startssl) and add them to your server certificate simply by cat server.crt ca-bundle.crt > server.crt)