You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Exporting a user certificate as NSData blob in Windows, for .mobileconfig

How do I export/convert a user certificate, either from CurrentUser My (Personal) store or from a PFX, into NSData blob format?
It is the format the Apple "documentation" states are the syntax for the Exchange Payload IdentityData.


I'm trying to completely automate the creation of .mobileconfig configuration profiles.

I got it all down, except adding the user certificate to the Exchange ActiveSync payload. I simple don't know how to get a usercertificate, either from my CurrentUser My (Personal) store, or from a PFX.

I'm not using iPCU Scripting but PowerShell, basically because it doesn't really work (from what I've tried, I'll explain later) and because I don't know C#.

I've generated a base .mobileconfig, in which I have replaced all the parts that needs to be changed or needs to be unique, with @KeyWords@ that can easily be searched and replaced. Simple stuff.

That mobileconfig I currently have to open in iPCU and manually add the usercertificate from my personal store and then export the profile. Annoying stuff.

You can view my PowerShell code here:
http://pastebin.com/a7hGCix6




The reason I don't use iPCU are:

The automation part should be run on a server. I don't want iPCU installed on my servers.

From trying with iPCU (on a client) I've found that it doesn't really work, at least not to fully automate the process.

I don't know C#, except that I can read the code and more or less figure out what it does and do some minor changes. Using the example provided by Apple and a bit of information gleaned on these forums, I made this:
http://pastebin.com/fkZMncyB

However, it ofcourse requires iPCU, which I don't want installed on my Terminal Server, and as I've noted in the comments of the C# samle, it doesn't work. Fails at exporting, as noted in the comments.

n/a, Other OS, n/a

Posted on Mar 12, 2011 9:37 AM

Reply
4 replies

Apr 27, 2011 2:49 AM in response to Mr. Schmidt

Hi Mr. Schmidt,


Took me almost a year to work out, but....


The certificate format in the mobileconfig is a standard pfx, encoded in base64... If you've got the PFX file, you need to encode it in base64, strip the first and last lines of the file (depending on which tool you use for the conversion), and add it into the .mobileconfig file.. If you're using powershell anyway, you can use the following lines, assuming that the pfx is called alginald.pfx, and you will be outputting to alginald.mobileconfig...


certutil -encode alginald.pfx alginald.enc

$content = gc alginald.enc

$new-content=$content[(1..($content.length - 2)]

add-content alginald.mobileconfig -value $newcontent -encoding UTF8


Note that when adding content to the file with the add-content command, you should always specify -encoding UTF8 at the end


(I wasted months on tracking this down, because the certificate data exported by the iPCU was a little bit different than the same certificate encoded or format changed with openssl or certutil. I finally bit the bullet, and just tried it, and it worked a dream)


Virtual beers appreciated...


Alginald

Jun 20, 2011 2:27 AM in response to Alginald99

Hi All,


I tried to combine both of the above. I would like to create a powershell script which send out an email to a user containing our WIFI configuration. It should include WIFI settings, a Root certifcate and an User certificate.


So I created a template mobileconfig, with these settings and my own personal certificate with the iPhone Config Util.


Then I use powershell to replace the user Cert data using the code of Alginald99. So far so good.


When I run the PS script I get an email containing the mobileconfig. When I try to install it, the iPhone says that the profile can't be installed because the password for the certifcate (null) is not okay.


In my template config I only change the User's display name and the certificate data.

I export the PFX from Active Directory, If I import the PFX manually it works ok with the password as expected.


I hope someone can help me out on this one.

Jul 6, 2011 10:02 AM in response to Alginald99

Alginald99,


I tried following your steps without success:

1. Get the PFX file

2. base64 encode it

3. The string that I get is nothing like the string that iPCU outputs as the .mobileconfig file.



If you can, please answer here or in here (I opened a topic for my issue): https://discussions.apple.com/thread/3159678

An email would also be great: bar at jungo dot com


Thanks a lot!

Bar.

Exporting a user certificate as NSData blob in Windows, for .mobileconfig

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.