3.11.6 Procedure for creating an MDM signed-certificate request file (when managing iOS devices)
To create MDM client certificates, you need to change the format of the MDM certificate request file, and then create an MDM signed-certificate request file. You need to perform this procedure only when managing iOS devices.
Prerequisites
-
You must purchase a license for the Apple Developer Enterprise Program.
-
You must contact Apple to register as MDM vendor.
-
You must perform the procedure on a Mac PC.
-
You must download the MDM certificate request file (mdm.cer) in advance.
Procedure
-
Double-click the downloaded MDM certificate request file (mdm.cer) to import it to Keychain Access, and then export the file in PKCS#12 format.
Specify vendor.p12 as the export file name.
- Tip
-
Set a password when exporting the file. The password set here will be registered in step 6.
-
Obtain the following root certificate and intermediate certificate from Apple:
-
Apple Inc. Root Certificate (AppleIncRootCertificate.cer)
-
WWDR Certificate (AppleWWDRCA.cer)
- Important
-
The name of the root certificate and intermediate certificate might be different. For details, see the information provided by Apple.
-
-
From the terminal, execute the following commands provided from OS to convert the cer files to pem format:
openssl x509 -inform der -in mdm.cer -out mdm.pem openssl x509 -inform der -in AppleWWDRCA.cer -out intermediate.pem openssl x509 -inform der -in AppleIncRootCertificate.cer -out root.pem
-
Execute the following commands from the terminal to create a customer certificate request:
-
Create a private key:
openssl genrsa -des3 -out customerPrivateKey.pem 2048
-
Create the customer certificate request:
openssl req -new -key customerPrivateKey.pem -out customer.csr
-
Convert the customer certificate request to der file format:
openssl req -inform pem -outform der -in customer.csr -out customer.der
-
-
Copy the following five created files to the communication server:
-
customer.der
-
vendor.p12
-
mdm.pem
-
intermediate.pem
-
root.pem
-
-
Execute the following command from the command prompt to create an MDM signed-certificate request file:
sdmcreatemdmcertreq -f "folder-storing-files" -o "MDM-signed-certificate-request-file-output-folder" -a common-name-set-when-creating-the-certificate-request-file -p password-set-when-exporting-vendor.p12
Postrequisites
Create MDM client certificates.
Related Topics