Skip navigation

Exporting a user certificate as NSData blob in Windows, for .mobileconfig

3032 Views 4 Replies Latest reply: Jul 6, 2011 10:02 AM by Bartzy~ RSS
Mr. Schmidt Calculating status...
Currently Being Moderated
Mar 12, 2011 9:37 AM
How do I export/convert a user certificate, either from CurrentUser My (Personal) store or from a PFX, into NSData blob format?
It is the format the Apple "documentation" states are the syntax for the Exchange Payload IdentityData.

I'm trying to completely automate the creation of .mobileconfig configuration profiles.

I got it all down, except adding the user certificate to the Exchange ActiveSync payload. I simple don't know how to get a usercertificate, either from my CurrentUser My (Personal) store, or from a PFX.

I'm not using iPCU Scripting but PowerShell, basically because it doesn't really work (from what I've tried, I'll explain later) and because I don't know C#.

I've generated a base .mobileconfig, in which I have replaced all the parts that needs to be changed or needs to be unique, with @KeyWords@ that can easily be searched and replaced. Simple stuff.

That mobileconfig I currently have to open in iPCU and manually add the usercertificate from my personal store and then export the profile. Annoying stuff.

You can view my PowerShell code here:

The reason I don't use iPCU are:

The automation part should be run on a server. I don't want iPCU installed on my servers.

From trying with iPCU (on a client) I've found that it doesn't really work, at least not to fully automate the process.

I don't know C#, except that I can read the code and more or less figure out what it does and do some minor changes. Using the example provided by Apple and a bit of information gleaned on these forums, I made this:

However, it ofcourse requires iPCU, which I don't want installed on my Terminal Server, and as I've noted in the comments of the C# samle, it doesn't work. Fails at exporting, as noted in the comments.
n/a, Other OS, n/a
  • Alginald99 Calculating status...

    Hi Mr. Schmidt,


    Took me almost a year to work out, but....


    The certificate format in the mobileconfig is a standard pfx, encoded in base64... If you've got the PFX file, you need to encode it in base64, strip the first and last lines of the file (depending on which tool you use for the conversion), and add it into the .mobileconfig file.. If you're using powershell anyway, you can use the following lines, assuming that the pfx is called alginald.pfx, and you will be outputting to alginald.mobileconfig...


    certutil -encode alginald.pfx alginald.enc

    $content = gc alginald.enc

    $new-content=$content[(1..($content.length - 2)]

    add-content alginald.mobileconfig -value $newcontent -encoding UTF8


    Note that when adding content to the file with the add-content command, you should always specify -encoding UTF8 at the end


    (I wasted months on tracking this down, because the certificate data exported by the iPCU was a little bit different than the same certificate encoded or format changed with openssl or certutil. I finally bit the bullet, and just tried it, and it worked a dream)


    Virtual beers appreciated...



  • mories Calculating status...

    Hi All,


    I tried to combine both of the above. I would like to create a powershell script which send out an email to a user containing our WIFI configuration.  It should include WIFI settings, a Root certifcate and an User certificate.


    So I created a template mobileconfig, with these settings and my own personal certificate with the iPhone Config Util.


    Then I use powershell to replace the user Cert data using the code of Alginald99. So far so good.


    When I run the PS script I get an email containing the mobileconfig. When I try to install it, the iPhone says that the profile can't be installed because the password for the certifcate (null) is not okay.


    In my template config I only change the User's display name and the certificate data.

    I export the PFX from Active Directory, If I import the PFX manually it works ok with the password as expected.


    I hope someone can help me out on this one.

  • Alginald99 Level 1 Level 1 (15 points)

    Has your certificate got a subject? I had this problem when the certificate subject was empty, even though we were filling the Subject Alternate Name field correctly as per RFC.

  • Bartzy~ Calculating status...



    I tried following your steps without success:

    1. Get the PFX file

    2. base64 encode it

    3. The string that I get is nothing like the string that iPCU outputs as the .mobileconfig file.



    If you can, please answer here or in here (I opened a topic for my issue):

    An email would also be great: bar at jungo dot com


    Thanks a lot!



More Like This

  • Retrieving data ...

Bookmarked By (0)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.