Page Comparison

Prerequisites 

• You have to be enrolled in the Apple Developer Program as an individual or organization before starting the configurations on the iOS server-side.

• OpenSSL

  Info
  icon false
  For more information, see how to download and install OpenSSL.

...

1. Generate an Apple Push Notification Service (APNS) certificate. In the documentation you navigate to, follow the steps under the Configuring Push Notifications section to generate an APNS certificate.

   Info
   WSO2 EMM uses the APNS notification method for devices that use the iOS mobile OS. Therefore you need to generate the APNS certificate when configuring the iOS server-side.

2. Navigate to the openssl.cnf file of the OpenSSL installation. 
   Example: In Ubuntu navigate to /etc/ssl/openssl.cnf. 

3. Make a copy of the openssl.cnf file, move it to another location, and configure the file to generate version 3 certificates as shown below:

   Code Block

   [ v3_req ] # Extensions to add to a certificate request basicConstraints=CA:TRUE keyUsage = digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. basicConstraints = critical,CA:true # So we do this instead. #basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. keyUsage = digitalSignature, keyCertSign, cRLSign

4. In the location where you modified and saved the openssl.cnf file, run the following commands to generate a self-signed Certificate Authority (CA) certificate (version 3) and convert the certificate to the.pem format: 

   1. openssl genrsa -out <CA PRIVATE KEY> 4096
      For example: openssl genrsa -out ca_private.key 4096
   2. openssl req -new -key <CA PRIVATE KEY> -out <CA CSR>
      For example: openssl req -new -key ca_private.key -out ca.csr
   3. openssl x509 -req -days <DAYS> -in <CA CSR> -signkey <CA PRIVATE KEY> -out <CA CRT> -extensions v3_ca -extfile <PATH-TO-MODIFIED-openssl.cnf-FILE>
      For example: openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt -extensions v3_ca -extfile ./openssl.cnf
   4. openssl rsa -in <CA PRIVATE KEY> -text > <CA PRIVATE PEM>
      For example:  openssl rsa -in ca_private.key -text > ca_private.pem
   5. openssl x509 -in <CA CRT> -out <CA CERT PEM>
      For example: openssl x509 -in ca.crt -out ca_cert.pem

5. In the same location, run the following commands to generate a Registration Authority (RA) certificate (version 3), sign it with the CA, and convert the certificate to the .pem format.  

   1. openssl genrsa -out <RA PRIVATE KEY> 4096
      For example:  openssl genrsa -out ra_private.key 4096

   2. openssl req -new -key <RA PRIVATE KEY> -out <RA CSR>
      For example: openssl req -new -key ra_private.key -out ra.csr
   3. openssl x509 -req -days <DAYS> -in <RA CSR> -CA <CA CRT> -CAkey <CA PRIVATE KEY> -set_serial <SERIAL NO> -out <RA CRT> -extensions v3_req -extfile <PATH-TO-MODIFIED- openssl.cnf-FILE>
      For example: openssl x509 -req -days 365 -in ra.csr -CA ca.crt -CAkey ca_private.key -set_serial 02 -out ra.crt -extensions v3_req -extfile ./openssl.cnf
   4. openssl rsa -in <CA PRIVATE KEY> -text> <RA PRIVATE PEM>
      For example: openssl rsa -in ra_private.key -text > ra_private.pem
   5. openssl x509 -in <RA CRT> -out <RA CERT PEM>
      For example: openssl x509 -in ra.crt -out ra_cert.pem

6. Generate the SSL certificate (version 3) based on your domain/IP address:

   Info
   You must add your IP address/domain as the Common Name. Otherwise, provisioning will fail.

   1. Generate a RSA key.
      openssl genrsa -out <RSA_key>.key 4096
      For example:
      openssl genrsa -out ia.key 4096
   2. Generate a CSR file.
      openssl req -new -key <RSA_key>.key -out <CSR>.csr
      For example:
      openssl req -new -key ia.key -out ia.csr
      Enter your server IP address/domain name (e.g., 192.168.1.157) as the Common Name else provisioning will fail.
   3. Generate the SSL certificate
      openssl x509 -req -days 730 -in <CSR>.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial <serial number> -out ia.crt
      For example: 
      openssl x509 -req -days 730 -in ia.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial 044324343 -out ia.crt

7. Export the SSL, CA and RA files as PKCS12 files with an alias.

   1. Export the SSL file as a PKCS12 file with an "wso2carbon" as the alias. 
      openssl pkcs12 -export -out <KEYSTORE>.p12 -inkey <RSA_key>.key -in ia.crt -CAfile ca_cert.pem -name "<alias>"
      For example:
      openssl pkcs12 -export -out KEYSTORE.p12 -inkey ia.key -in ia.crt -CAfile ca_cert.pem -name "wso2carbon"

   2. Export the CA file as a PKCS12 file with an alias.
      openssl pkcs12 -export -out <CA>.p12 -inkey <CA private key>.pem -in <CA Cert>.pem -name "<alias>"
      For example:
      openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem -name "cacert"
      In the above example, cacert has been used as the CA alias. 
   3. Export the RA file as a PKCS12 file with an alias.
      openssl pkcs12 -export -out <RA>.p12 -inkey <RA private key>.pem -in <RA Cert>.pem -chain -CAfile <CA cert>.pem -name "<alias>"
      For example:
      openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem -chain -CAfile ca_cert.pem -name "racert"
      In the above example, racert has been used as the RA alias. 
8. Copy the three P12 extension files to the <EMM_HOME>/repository/resources/security directory.
9. Import the generated P12 extension files as follows:
   

   1. Import the generated <KEYSTORE>.p12 file into the wso2carbon.jks and client-truststore.jks in the <EMM_HOME>/repository/resources/security directory.
      keytool -importkeystore -srckeystore <KEYSTORE>.p12 -srcstoretype PKCS12 -destkeystore <wso2carbon.jks/client-truststore.jks>

      Info
      When prompted, enter the keystore password and keystore key password as wso2carbon. When prompted to replace an existing entry that has the same name as wso2carbon, enter yes. Example: Existing entry alias wso2carbon exists, overwrite? [no]

      For example:
      keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore client-truststore.jks

   2. Import the generated <CA>.p12 and <RA>.p12 files into wso2certs.jks file, which is in the <EMM_HOME>/repository/resources/security directory.
      keytool -importkeystore -srckeystore <CA/RA>.p12 -srcstoretype PKCS12 -destkeystore wso2certs.jks 
      
      For example:
      keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2certs.jks 
      Enter the keystore password as wso2carbon and the keystore key password as cacert.

      keytool -importkeystore -srckeystore ra.p12 -srcstoretype PKCS12 -destkeystore wso2certs.jks 
      Enter the keystore password as  wso2carbon  and the keystore key password as  racert .


      Info
      title Troubleshooting
      Excerpt Why does the following error occur: " keytool error: java.io.IOException: Invalid keystore format"? If you enter the wrong private key password when importing the <CA>.p12 or <RA>.p12 files, the wso2certs.jks file will get corrupted and the above error message will appear. In such a situation, delete the wso2certs.jks file and execute the following command to import the generated <CA>.p12 and <RA>.p12 files into the wso2certs.jks file again. keytool -importkeystore -srckeystore <CA/RA>.p12 -srcstoretype PKCS12 -destkeystore wso2certs.jks When the above command is executed, WSO2 EMM will automatically create a new wso2certs.jks file with the imported file.

10. The default EMM keystore details are defined under the <CertificateKeystore> XML element in the certificate-config.xml file, which is in the <EMM_HOME>/repository/conf directory. Therefore, if any of the following details are changed, it needs to be reflected in < CertificateKeystore>:

    • Certificate Keystore file location
    • Certificate Keystore type
    • Certificate Keystore password
    • Certificate authority certificate alias 
    • Certificate authority private key password
    • Registration authority certificate alias

    • Registration authority private key password 

    Example:

    Code Block

    <?xml version="1.0" encoding="ISO-8859-1"?> <CertificateConfigurations> <CertificateKeystore> <!-- Certificate Keystore file location--> <CertificateKeystoreLocation>${carbon.home}/repository/resources/security/wso2certs.jks</CertificateKeystoreLocation> <!-- Certificate Keystore type (JKS/PKCS12 etc.)--> <CertificateKeystoreType>JKS</CertificateKeystoreType> <!-- Certificate Keystore password--> <CertificateKeystorePassword>wso2carbon</CertificateKeystorePassword> <!-- Certificate authority certificate alias --> <CACertAlias>cacert</CACertAlias> <!-- Certificate authority private key password --> <CAPrivateKeyPassword>cacert</CAPrivateKeyPassword> <!-- Registration authority certificate alias --> <RACertAlias>racert</RACertAlias> <!-- Registration authority private key password --> <RAPrivateKeyPassword>racert</RAPrivateKeyPassword> </CertificateKeystore> </CertificateConfigurations>

After configuring the above obtain the signed CSR form and follow the proceeding step to complete the iOS server configurations.

Related links

• Generate an Apple Push Notification Service (APNS) certificate
• iOS Server Configurations
• iOS Platform Configurations
• Obtaining the signed CSR file