iPhone & certificate enrollment OTA via SCEP
Hello there,
We're looking at evaluating iPhones at my business, and a key part of this is working out how out an enterprise deployment would work, with devices numbering in the 1000s.
Apple are pushing hard to spruike the perceived ease which with iPhone profiles can be deployed with ease, and how certificate management overheads are reduced through the use of SCEP.
Well, I can say that I have just invested a lot of time and effort searching the web for any whitepapers or general documentation around how iPhones and SCEP integration might work, and I can safely say there is basically no practical documentation available (take note apple, a link to SCEP RFC does not count as a useful documentation!).
So, I have setup a standalone lab environment, and have Microsoft certificate services working on a Windows 2008 server (enterprise Root CA), with the Network Deployment Enrollment Services add-on configured... this is Microsoft's version of SCEP. I have deployed a new custom certificate template setup for client-auth, and I am succesfully getting challenge responses and thumbprints via the web-interface.
I then populate the thumbprint and the challenge into the iPhone configuration utility, but when I go to install the profile on my phone, it just tried to generate the key, then seems to bomb citing "Profile failed to install".
I'm not getting much more in the way of details or logs.
1) Has anyone had real world experience in setting iPhones and SCEP up?
2) Can anyone confirm which exact settings I'm supposed to populate in the SCEP section of the iPCU?
I have populated the following fields:
- (URL) http://[hostname]/certsrv/mscep_admin/mscep.dll
- (Name) [Name of the Root Cert]
- (Subject) [I have left this field blank?]
- (Challenge) [challege as provided by the SCEP web interface]
- (Key size) 2048 (matches the cert template)
- (Use as digital signature) is not checked
- (Use as key encipherment) is not checked
- (Fingerprint) [is populated from SCEP web interface]
What am I missing? Does apple have anything in the way of useful documentation in this space?
Regards, James.
We're looking at evaluating iPhones at my business, and a key part of this is working out how out an enterprise deployment would work, with devices numbering in the 1000s.
Apple are pushing hard to spruike the perceived ease which with iPhone profiles can be deployed with ease, and how certificate management overheads are reduced through the use of SCEP.
Well, I can say that I have just invested a lot of time and effort searching the web for any whitepapers or general documentation around how iPhones and SCEP integration might work, and I can safely say there is basically no practical documentation available (take note apple, a link to SCEP RFC does not count as a useful documentation!).
So, I have setup a standalone lab environment, and have Microsoft certificate services working on a Windows 2008 server (enterprise Root CA), with the Network Deployment Enrollment Services add-on configured... this is Microsoft's version of SCEP. I have deployed a new custom certificate template setup for client-auth, and I am succesfully getting challenge responses and thumbprints via the web-interface.
I then populate the thumbprint and the challenge into the iPhone configuration utility, but when I go to install the profile on my phone, it just tried to generate the key, then seems to bomb citing "Profile failed to install".
I'm not getting much more in the way of details or logs.
1) Has anyone had real world experience in setting iPhones and SCEP up?
2) Can anyone confirm which exact settings I'm supposed to populate in the SCEP section of the iPCU?
I have populated the following fields:
- (URL) http://[hostname]/certsrv/mscep_admin/mscep.dll
- (Name) [Name of the Root Cert]
- (Subject) [I have left this field blank?]
- (Challenge) [challege as provided by the SCEP web interface]
- (Key size) 2048 (matches the cert template)
- (Use as digital signature) is not checked
- (Use as key encipherment) is not checked
- (Fingerprint) [is populated from SCEP web interface]
What am I missing? Does apple have anything in the way of useful documentation in this space?
Regards, James.
3GS, Windows XP
