Profiles installed by MDM service are showing as "Not Verified" after upgrading the device to iOS 6

Question

Profiles installed by MDM service are showing as "Not Verified" after upgrading the device to iOS 6. These profiles were signed by a InCommon cert issued by AddTrust before being pushed to the devices. They were showing as "Verified" before the upgrade. Any ideas what might have caused this?

score 3 · Answer 1 · answered Sep 24 '12 at 13:14

3

I got exactly the same problem so it is probably a bug in the iOS profile system because the very same SSL certificate is trusted by the browser. Note: Our certificate is of the "*.host.org" type.

answered Sep 24 '12 at 13:14

user1694502

41
2

Exactly. I submitted a request with Apple, but haven't heard anything back. – Yue Lu Sep 28 '12 at 18:12

score 2 · Answer 2 · answered Sep 21 '12 at 18:24

This might be an untrusted CA in the certificate chain from the cert provider you bought it from. Looks like some CAs are untrusted or missing from iOS6. I had the same problem and included the whole of the cert chain in our cert signing bundle and the issue was resolved. Suggest you open a support case with your cert provider to see if it's a known issue or dig around to see if you can find a list of trusted CAs used in iOS6 - I couldn't find one. Synching the device to iTunes may also refresh the CA list but this didn't work for me this time.

chpeuh · Answer 3 · 2012-09-27T13:39:35.057

I have exactly the same problem as your. My chain is GeoTrust -> RapidSSL -> MyCert. I have included the full chain in my .crt, but it stills show "not verified" when I try to install the configuration profil.

I don't know how to insert the whole path.

I use an openssl command to sign my file :

openssl smime -sign -signer #{crt_path} -inkey #{private_key_path} -nodetach -outform der -in #{file_to_sign_path} -out #{file_signed_path}

My crt_path is a .crt file, including the three certs.

EDIT I found out the problem with my openssl command. My full chain was in the #{crt_path} but was not used by the command. I added the *-certfile #{crt_path}* and things works well !

score 2 · Answer 4 · answered Sep 28 '12 at 18:09

2

Including the intermediate cert in the pkcs7_sign call (php openssl_pkcs7_sign() in my case) revolved the problem.

answered Sep 28 '12 at 18:09

Yue Lu

85
1
8

user1694502 · Answer 5 · 2012-09-27T10:03:48.550

1

Yes! Adding the entire path (-root) did the trick.

Verify that the signature created by the MDM SW actually contains the path. Since it wasn't needed before...

edited Sep 27 '12 at 10:03

answered Sep 24 '12 at 19:42

user1694502

41
2

Profiles installed by MDM service are showing as "Not Verified" after upgrading the device to iOS 6

5 Answers5