This section includes the details on how to generate the Certificate Authority (CA), Registration Authority (RA) and SSL certificate. For more information, check out the subsections given below:
Prerequisites
You have to be enrolled in the Apple Developer Program as an individual or organization before starting the configurations on the iOS server-side.
Download and install OpenSSL.
Configuring iOS server-side configurations
Follow the instructions below to configure the iOS server-side configurations:
Generate an Apple Push Notification Service (APNS) certificate. In the documentation you navigate to, follow the steps under the Configuring Push Notifications section to generate an APNS certificate.
Why is this step required?
In iOS, the server passes messages to the client via the Apple Push Notification Service (APNS). When doing so in order to establish a secure connection between the EMM and the APNS server, a client SSL certificate needs to be generated and downloaded from Apple Inc. This APNS certificate is used to send an awake message to the iOS agent application.
Create a new file named
openssl.cnfin a preferred location.Include the following configurations to the
openssl.cnffile, to generate version 3 certificates as shown below:[ v3_req ] # Extensions to add to a certificate request basicConstraints=CA:TRUE keyUsage = digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. basicConstraints = critical,CA:true # So we do this instead. #basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. keyUsage = digitalSignature, keyCertSign, cRLSign
In the location where you modified and saved the
openssl.cnffile, run the following commands to generate a self-signed Certificate Authority (CA) certificate (version 3) and convert the certificate to the.pemformat:openssl genrsa -out <CA PRIVATE KEY> 4096
For example:openssl genrsa -out ca_private.key 4096openssl req -new -key <CA PRIVATE KEY> -out <CA CSR>
For example:openssl req -new -key ca_private.key -out ca.csropenssl x509 -req -days <DAYS> -in <CA CSR> -signkey <CA PRIVATE KEY> -out <CA CRT> -extensions v3_ca -extfile <PATH-TO-THE-NEWLY-CREATED-openssl.cnf-FILE>
For example:openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt -extensions v3_ca -extfile ./openssl.cnfopenssl rsa -in <CA PRIVATE KEY> -text > <CA PRIVATE PEM>
For example:openssl rsa -in ca_private.key -text > ca_private.pemopenssl x509 -in <CA CRT> -out <CA CERT PEM>
For example:openssl x509 -in ca.crt -out ca_cert.pem
In the same location, run the following commands to generate a Registration Authority (RA) certificate (version 3), sign it with the CA, and convert the certificate to the
.pemformat.openssl genrsa -out <RA PRIVATE KEY> 4096
For example:openssl genrsa -out ra_private.key 4096openssl req -new -key <RA PRIVATE KEY> -out <RA CSR>
For example:openssl req -new -key ra_private.key -out ra.csropenssl x509 -req -days <DAYS> -in <RA CSR> -CA <CA CRT> -CAkey <CA PRIVATE KEY> -set_serial <SERIAL NO> -out <RA CRT> -extensions v3_req -extfile <PATH-TO-THE-NEWLY-CREATED-openssl.cnf-FILE>
For example:openssl x509 -req -days 365 -in ra.csr -CA ca.crt -CAkey ca_private.key -set_serial 02 -out ra.crt -extensions v3_req -extfile ./openssl.cnfopenssl rsa -in <CA PRIVATE KEY> -text> <RA PRIVATE PEM>
For example:openssl rsa -in ra_private.key -text > ra_private.pemopenssl x509 -in <RA CRT> -out <RA CERT PEM>
For example:openssl x509 -in ra.crt -out ra_cert.pem
Generate the SSL certificate (version 3) based on your domain/IP address:
If you have already obtained an SSL certificate for your domain, you can skip this step and use that SSL certificate in step 7.
- Generate an RSA key.
openssl genrsa -out <RSA_key>.key 4096
For example:
openssl genrsa -out ia.key 4096 - Generate a CSR file.
openssl req -new -key <RSA_key>.key -out <CSR>.csr
For example:
openssl req -new -key ia.key -out ia.csr
Enter your server IP address/domain name (e.g., 192.168.1.157) as the Common Name else provisioning will fail. - Generate the SSL certificate
openssl x509 -req -days 730 -in <CSR>.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial <serial number> -out ia.crt
For example:
openssl x509 -req -days 730 -in ia.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial 044324343 -out ia.crt
- Generate an RSA key.
Export the SSL, CA and RA files as PKCS12 files with an alias.
Export the SSL file as a PKCS12 file with an "
wso2carbon" as the alias.If you are using intermediate certifications, make sure to create a single certificate file that includes all these certificates by archiving them using the
cat <CERTIFCATE 1> <CERTIFICATE 2> ... >> <CERTIFICATE CHAIN>command. Use the generated certificate chain for the proceeding step.openssl pkcs12 -export -out <KEYSTORE>.p12 -inkey <RSA_key>.key -in ia.crt -CAfile ca_cert.pem -name "<alias>"
For example:
openssl pkcs12 -export -out KEYSTORE.p12 -inkey ia.key -in ia.crt -CAfile ca_cert.pem -name "wso2carbon"- Export the CA file as a PKCS12 file with an alias.
openssl pkcs12 -export -out <CA>.p12 -inkey <CA private key>.pem -in <CA Cert>.pem -name "<alias>"
For example:
openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem -name "cacert"
In the above example,cacerthas been used as the CA alias. - Export the RA file as a PKCS12 file with an alias.
openssl pkcs12 -export -out <RA>.p12 -inkey <RA private key>.pem -in <RA Cert>.pem -chain -CAfile <CA cert>.pem -name "<alias>"
For example:
openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem -chain -CAfile ca_cert.pem -name "racert"
In the above example,racerthas been used as the RA alias.
Why is this step required?
A PKCS12 file is used to store many cryptography objects as a single file. The certificates and their private keys that were generated using the above commands are stored in a PKCS12 file so that it can be imported to the respective KeyStores as shown in step 9.
Copy the three P12 extension files to the
<EMM_HOME>/repository/resources/securitydirectory.Why is this step required?
The
<EMM_HOME>/repository/resources/securitydirectory is where the WSO2 EMM KeyStores are stored.
Example for KeyStores:wso2carbon.jks,client-truststore.jksandwso2certs.jks.- Import the generated P12 extension files as follows:
Import the generated
<KEYSTORE>.p12file into thewso2carbon.jksandclient-truststore.jksin the<EMM_HOME>/repository/resources/securitydirectory.
keytool -importkeystore -srckeystore <KEYSTORE>.p12 -srcstoretype PKCS12 -destkeystore <wso2carbon.jks/client-truststore.jks>For example:
keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore client-truststore.jksImport the generated
<CA>.p12and<RA>.p12files into thewso2certs.jksfile, which is in the<EMM_HOME>/repository/resources/securitydirectory.
keytool -importkeystore -srckeystore <CA/RA>.p12 -srcstoretype PKCS12 -destkeystore wso2certs.jks
For example:
keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2certs.jks
Enter the keystore password aswso2carbonand the keystore key password ascacert.keytool -importkeystore -srckeystore ra.p12 -srcstoretype PKCS12 -destkeystore wso2certs.jks
Enter the keystore password aswso2carbonand the keystore key password asracert
Troubleshooting
Why does the following error occur:
"keytool error: java.io.IOException: Invalid keystore format"?If you enter the wrong private key password when importing the
<CA>.p12or<RA>.p12files, thewso2certs.jksfile will get corrupted and the above error message will appear.In such a situation, delete the
wso2certs.jksfile and execute the following command to import the generated<CA>.p12and<RA>.p12files into thewso2certs.jksfile again.
keytool -importkeystore -srckeystore <CA/RA>.p12 -srcstoretype PKCS12 -destkeystore wso2certs.jks
When the above command is executed, WSO2 EMM will automatically create a newwso2certs.jksfile with the imported file.
The default EMM keystore details are defined under the
<CertificateKeystore>XML element in thecertificate-config.xmlfile, which is in the<EMM_HOME>/repository/confdirectory. Therefore, if any of the following details are changed, it needs to be reflected in<CertificateKeystore>:- Certificate Keystore file location
- Certificate Keystore type
- Certificate Keystore password
- Certificate authority certificate alias
- Certificate authority private key password
- Registration authority certificate alias
Registration authority private key password
Example:
<?xml version="1.0" encoding="ISO-8859-1"?> <CertificateConfigurations> <CertificateKeystore> <!-- Certificate Keystore file location--> <CertificateKeystoreLocation>${carbon.home}/repository/resources/security/wso2certs.jks</CertificateKeystoreLocation> <!-- Certificate Keystore type (JKS/PKCS12 etc.)--> <CertificateKeystoreType>JKS</CertificateKeystoreType> <!-- Certificate Keystore password--> <CertificateKeystorePassword>wso2carbon</CertificateKeystorePassword> <!-- Certificate authority certificate alias --> <CACertAlias>cacert</CACertAlias> <!-- Certificate authority private key password --> <CAPrivateKeyPassword>cacert</CAPrivateKeyPassword> <!-- Registration authority certificate alias --> <RACertAlias>racert</RACertAlias> <!-- Registration authority private key password --> <RAPrivateKeyPassword>racert</RAPrivateKeyPassword> </CertificateKeystore> </CertificateConfigurations>
What's next
Follow the proceeding step to complete the iOS server configurations.